On 10/06/2009 01:18 PM, Ian G:
Thing is, client certs is one of the few bright spots in security, looking forward. They remove the passwords from the equation.
For once we are on the same page....
And for those who can still dream, it opens the way for things like signing of documents ;-) It takes us closer to there being only one mode, and it is secure.
Very correct.
The results have been good (e.g., spam is now OFF). I've heard that Eddy does similar over at his CA.
It was our condition for "accounts" in 2007, previously there was only a walk-through process. StartCom has implemented client certificate authentication strictly on all important interfaces (in combination with OpenID authentication - StartSSL is also an OpenID provider).
What is clear is that the rough edges (current thread on no clear help to the user, but also the recording to cert-URL preferences in a whitelist of some form, S/MIME issues, and the key backup problem) are holding us up. There is no way to expand this form of security beyond the techie audience until client certs have become much more end-user friendly.
It works for most as long as there is no issue and users follow the instructions correctly. It bites you when this doesn't happen.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
