Anders,
Anders Rundgren wrote:
Another reason why SSL client authentication may go bust is that it does not support the inclusion
of platform attestations, something that may be required when TPMs become standard. That is, you
may [in the future] not be able to access corporate web-mail (or other sensitive web apps), from a
machine that does not appear to run a "safe" operating system. Some organizations may
not allow employees to access web-mail from an unknown machine even if it is "safe".
Alternative authentication mechanisms, typically riding on top of an SSL channel, can with ease
provide platform attestations together with the authentication response.
Does that "platform attestation" really belong at the transport level ?
It seems like such a repugnant idea anyway. Services like webmail are
supposed to be usable from any browser, on any computer, on any OS.
That's why they are successful in the first place. This kind of lock
certainly belongs in a proprietary client-server system, but for use on
the open Internet, I'm skeptical.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
