On 03/17/2009 02:45 PM, Johnathan Nightingale:
I think the implicit 4th step there is evangelism, because I think
they're a much more robust identification/authentication technology
than login+pw, or most of login+pw's would-be replacements. But I
also think there's no point evangelizing the current state of affairs,
for the reasons and frustrations you've already outlined. :)
A certain CA has been doing a lot of evangelism with client certs
despite the brokenness of the session handling (whoever is to blame for
this - which reminds me about some theory about what happens exactly
when the browser opens multiple connections at once with the server...).
User name / pass word pairs are one of the sources of the current
problems on the net, being it for web sites authentication (phishing,
weak passwords) or other services like mail, ssh and so forth.
Finally, and this is the really difficult question: what are the
policy implications here?
Need there be? Certainly we should avoid annoying our users with
endless prompts AND we should avoid compromising our users by enabling
new forms of invisible tracking, but there's a healthy middle ground
of user choice that can be clearly understood and communicated
("Always use this certificate for this site") that seems to me,
perhaps naively, not to be overloaded on policy. What am I overlooking?
One note here. I'd prefer to decide at least once per browser session
(until restart) to decide which certificate to use - with a "Forget"
button a must in such an implementation.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
