Hi Julien, My posting MAY be considered as a "speculation" since this has not happened yet. The reason why this *could* become a reality is the success of web-based services including outsourced dittos. The latter seriously limits the applicability of VPN connections and platform attestation at the network transport level.
I can even imagine that certain critical C2G services may not be accessible from "unsecured" computers. What is *not* a speculation however, is that SSL/TLS client-auth is seriously challenged by application-level authentication using SAML like schemes. This is due to the fact that the browser vendors have not (yet) realized that signatures are already is widespread use in the EU[*]. Due to the unavailability of browser support for this, proprietary java applets using non-browser and non-OS crypto are typically used. It would be piece of cake to extend SAML with platform attestestions if needed. Anders *] And Asia... http://korea.gnu.org/openweb/1/indexE.html ----- Original Message ----- From: "Julien Pierre" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Tuesday, July 18, 2006 03:23 Subject: Re: Platform Attestation. was:To SSL-client-auth or not to SSL-client-auth, that is the question(?) Anders, Anders Rundgren wrote: > Another reason why SSL client authentication may go bust is that it does not > support the inclusion of platform attestations, something that may be required when TPMs become standard. That is, you may [in the future] not be able to access corporate web-mail (or other sensitive web apps), from a machine that does not appear to run a "safe" operating system. Some organizations may not allow employees to access web-mail from an unknown machine even if it is "safe". Alternative authentication mechanisms, typically riding on top of an SSL channel, can with ease provide platform attestations together with the authentication response. Does that "platform attestation" really belong at the transport level ? It seems like such a repugnant idea anyway. Services like webmail are supposed to be usable from any browser, on any computer, on any OS. That's why they are successful in the first place. This kind of lock certainly belongs in a proprietary client-server system, but for use on the open Internet, I'm skeptical. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
