why client certs

Tue, 06 Oct 2009 04:19:30 -0700 

On 06/10/2009 00:48, Robert Relyea wrote:


Fortunately, I don't believe this is the final word on the matter.:)


One would hope not :)


Thing is, client certs is one of the few bright spots in security, 
looking forward.  They remove the passwords from the equation.  This 
forces that phisher-attacker into the "real-time MITM" space instead of 
the "lazy-time MITM space".  And the MITB attacker into the 
"total-take-over space" as opposed to the "embarrassing space."



And it has substantial benefits in the support equations of businesses, 
which equations drive businesses far more than security aka blah blah.



And for those who can still dream, it opens the way for things like 
signing of documents ;-)  It takes us closer to there being only one 
mode, and it is secure.





Practically, CAcert is moving towards a practice of "all access by 
certs" and has at some effort converted a few systems across to this 
method.  Last week we moved wordpress over to write-by-cert only.  The 
results have been good (e.g., spam is now OFF).  I've heard that Eddy 
does similar over at his CA.



It is somewhat of an eternal discussion at the pub as to why this part 
of the SSL project moved to the "demo" stage and then stopped.  I would 
say that it is because the industrials that were interested in it 
couldn't see how to monetarise the client cert, so they declined to fund 
the development (others will say other things).





For Mozilla, which should be interested in end-user security, an 
entirely different subject to client-wallet security, this should be 
much closer to something interesting.



What is clear is that the rough edges (current thread on no clear help 
to the user, but also the recording to cert-URL preferences in a 
whitelist of some form, S/MIME issues, and the key backup problem) are 
holding us up.  There is no way to expand this form of security beyond 
the techie audience until client certs have become much more end-user 
friendly.



Perhaps we should pass a policy rule that says that all server certs 
issued by CAs must include the WITH-CLIENT-CERT-ONLY flag in them, after 
say 2010?




iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


























					Reply via email to