[cryptography] Allergy for client certificates

stef s at ctrlc.hu
Wed Oct 9 10:47:25 EDT 2013

On Wed, Oct 09, 2013 at 02:50:59PM +0100, Michael Rogers wrote:
> This touches on another question I've been meaning to ask you: what
> happens if a user creates an account from a client machine, thus
> installing a client cert on that machine, and then wants to use the
> account from another machine?

i guess the user has to use the crappy ui of the browser to extract it. while
the browser vendors are polishing rounded transparent tabs instead.

> Also, what happens if a user installs a client cert on a machine and
> then walks away, leaving their client cert exposed to the next user?
> With passwords there's an expectation that once you've logged out, the
> next user can't log into your account. But client certs break that
> expectation.

indeed, client auth is bound to the browser in this sense and needs to be
understood by the users, this is a cognitive entry barrier to usage.

pgp: https://www.ctrlc.hu/~stef/stef.gpg
pgp fp: FD52 DABD 5224 7F9C 63C6  3C12 FC97 D29F CA05 57EF
otr fp: https://www.ctrlc.hu/~stef/otr.txt

More information about the cryptography mailing list