[cryptography] Allergy for client certificates

Thierry Moreau thierry.moreau at connotech.com
Fri Oct 11 08:52:46 EDT 2013


Guido Witmond wrote (in reference to eccentric authentication):
> 
> Another (not a killer)-feature (for users) is that they are in control
> of the account. When they delete the private key, their account is
> closed. No one else can come later and claim the account. Unless they
> copied the private key beforehand.
> 

Some reality check may turn this from a feature into a serious flaw: 
it's account continuity that matters to server-vendors and 
client-customers as well.

Server: a very good customer account vanishes suddenly and pops up as a 
new account (which one?) among the 200 or so that made a first 
transaction during the next week. Even the vanishing event can not be 
detected!

Client: I relied on the server to keep track of past purchase details, 
and for a crypto-&?%# reason (do I care?) I lost them. Even worse, I 
can't create a new account with my real name (it says it's already 
enrolled while in fact it no longer works).

Solving this issue in your experiment is going to re-introduce much of 
the PKI complexity.

Sorry for asking tough questions, but maybe they would pop up sooner or 
later if this experiment goes forward.


-- 
- Thierry Moreau



More information about the cryptography mailing list