Anders Rundgren wrote: > Today I was in a meeting with Swedish bank-people. They > told me that they are planning exodus from TLS-client-cert-auth > because it (in their opinion) works really bad.
Well, most times I don't count bank-people as IT security experts. > So what's the problem with TLS-client-cert-auth? Unfortunately the biggest problem is that it's not used very often. ;-) > it matches poorly with web sessions including logout Why should it match application sessions? Because the web application developers are too dumb to get the session handling right for themselves? Because the "logout" does not behave like they are used with passwords? > - the GUI look like c--p ??? > - it offers no branding capability Ah, well...frankly I'm very glad that no-one can place banner ads in this UI part. And I'd rather translate this to: It does not offer possibilities for spoofing attacks. ;-) > - it require PIN caching for smart cards If you configure your web server properly to do SSL session caching you don't need PIN caching. > - it is poorly implemented in many browsers with respect to path building Can you explain this? > - it offers very limited filtering capability What do you want to filter? At which point? The only caveat is that the authentication ends at the first SSL end-point. Most times this is a reverse proxy server, not the web application server itself. So the web application server has to fully trust the web frontend server. But behind this web frontend server you can do filtering of requests. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
