[cryptography] Allergy for client certificates

Guido Witmond guido at witmond.nl
Thu Oct 10 05:21:30 EDT 2013


On 10/09/13 16:47, stef wrote:
> On Wed, Oct 09, 2013 at 02:50:59PM +0100, Michael Rogers wrote:
>> This touches on another question I've been meaning to ask you: what
>> happens if a user creates an account from a client machine, thus
>> installing a client cert on that machine, and then wants to use the
>> account from another machine?
> 
> i guess the user has to use the crappy ui of the browser to extract it. while
> the browser vendors are polishing rounded transparent tabs instead.

Talking about leaving your users in the dark....


>> Also, what happens if a user installs a client cert on a machine and
>> then walks away, leaving their client cert exposed to the next user?
>> With passwords there's an expectation that once you've logged out, the
>> next user can't log into your account. But client certs break that
>> expectation.
> 
> indeed, client auth is bound to the browser in this sense and needs to be
> understood by the users, this is a cognitive entry barrier to usage.

There is nothing that prevents a proper browser to share client
certificates with their private key in Firefox Sync among a users' devices.

In fact that would be good as a backup strategy too. Losing a private
key means losing the account.

Regards, Guido.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131010/20f05ee8/attachment.asc>


More information about the cryptography mailing list