[cryptography] Client TLS Certificates - why not?

Ben Laurie ben at links.org
Tue Mar 5 14:01:42 EST 2013

On 5 March 2013 18:41, StealthMonger <StealthMonger at nym.mixmin.net> wrote:
> Hash: SHA1
> Jeffrey Walton <noloader at gmail.com> writes:
>> Its the key distribution problem. Its the cause of all the troubles.
> I don't understand.  Please explain.
> What's wrong with the following simple idea:
> 1. p2p: The parties opportunistically verify out-of-band after
> exchanging keys via public key servers or (insecure) email.
> 2. Prospective customer verification of merchant: Merchant includes
> the ID of its signing key in every advertisement and repeatedly
> admonishes prospects to "Accept No Substitutes".
> 3.  Merchant authentication of Customer: Merchants don't deal with
> people.  They deal with keys.  It's the key that has the purchasing
> power, not some person.  Nobody has the illusion that correlation
> between key and person is any stronger than that person's security
> habits.
> 4.  Etc.

Whilst all these ideas are useful parts of the picture, the challenge
is to construct something that is:

1. Robust - or at least as robust as what we have.

2. Usable - or at least as usable as what we have.

3. Cheap - or at least as cheap as what we have.

4. Secure - or at least as secure as what we have.

5. Fast - or at least as fast as what we have (and by this I
specifically mean extra round trips, DNS resolutions, etc. are not

There may be more. And presumably any new proposal will have to also
excel in at least one area, or why change?

In any case, this short list is hard enough to satisfy.

This is why I favour PKI + Certificate Transparency as a way forward.
CT should not make things much worse along any axis, and it has a
convincingly strong story for a tangible security improvement.

More information about the cryptography mailing list