[cryptography] Allergy for client certificates

Guido Witmond guido at witmond.nl
Thu Oct 10 05:16:35 EDT 2013

On 10/09/13 16:41, stef wrote:
> i have something like this eccentric authentication implemented for some time:
> https://github.com/stef/tlsauth
> i also provided django and flask bindings for it
> https://github.com/stef/django-tlsauth
> https://github.com/stef/flask-tlsauth
> and i use this in my "filesharing" service: stash:
> https://github.com/stef/stash/
> dunno how exactly this matches your eccentric auth, but i'd wager it's quite
> close. maybe some of you guys want to play with something practical. maybe you
> find epic bugs, so i can fix them or abandon this idea, thx for all.
> s

Hi Stef,

Please don't abandon the idea: Client Certificates are Cool(tm).

Your implementation is a 'classic' client certificate authentication
scheme where you provide certificates to those you already know. It's
useful when you know your audience, ie, students at a uni, employees.

Signing up, however, is real barrier in any 'classic' scheme as you need
to authenticate people to make sure that they belong to your audience.
And there is a lot of command line work involved at the client.

While you make it easy on the server operator, you forgot the client.

With Eccentric I turn that thing upside down.

1. I try to make it as easy on the client as possible. To the client,
there is no cryptography involved. Only 'accounts'. Creating one is as
easy as clicking a button. In fact, the hardest part is to come up with
an account name. See [0], section: signing up.

2. In eccentric, the client certificate is anonymous. There is no user
identifying information in it. When a visitor to a site wants to log in,
they come up with a nickname and let the user agent (ecca-proxy [1]) do
the work. It is therefore not suitable for a classic scheme at a uni, or

It is meant to help strangers exchange keys and authenticate them to
each other, while even us, the site operator who sign their certificates
can not learn their identities. [1] That's the basis of my "alien dating
site" and the upcoming "cryptoblog".

For example: Would you and I have used an eccentric authenticated blog
site to exchange these messages, we would have authenticated each other
as the writer of the message. By validating the message, we authenticate
each others public key. See: [2]

There is more you can do with client certificates. With proper checking
at the user agent (browser) you can prevent phishing and man in the
middle attacks.

Like I said, Client certificates are Cool(tm).

Regards, Guido.

1: http://eccentric-authentication.org/
2a: http://eccentric-authentication.org/blog/2013/09/28/talk-for-brucon.html
2b: http://eccentric-authentication.org/Brucon-Eccentric.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131010/a13a144c/attachment.asc>

More information about the cryptography mailing list