[Cryptography] client certificates ... as opposed to password hashing

[Guido Witmond]

On 05/27/14 01:14, John Denker wrote:
> Imagine a far-away culture where there is a recent fad 
> that involves putting lipstick on pigs.  This is a hard 
> thing to do.  Lots of things can go wrong.  
> 
> More recently, somebody decided to have a contest to find 
> the absolutely optimal way of doing it.  A bunch of smart
> people took it as a challenge.  They discussed it at great 
> length.  They even organized a pig-makeup /contest/ to see 
> who was the smartest of them all.
> 
> Then one day one of the children asked, why are you trying
> so hard to optimize something that you shouldn't be doing
> at all?

I'll play that child:


I have build a prototype that shows that it can be done. Instead of a
browser plug-in, I use a client side proxy. The browser connects with
http to the proxy, the proxy does all the certificate handling with the
sites. It can be built into a browser plug-in quite easily.

It needs a little change at the server side too. However, replacing
passwords with certificates makes server software easier too.

I'll be speaking about exactly these issues at the ICANN meeting in
London on June 25th. In short: the combination of DNSSEC, DANE and
client certificates solves the MITM-problem.


Please see the walkthrough at [1]. The demo [2] is down at the moment,
will bring it up again tonight/tomorrow.

Regards, Guido Witmond.

PS. I'm looking for sponsors to make the browser plugin and the server
side certificate handling into easy to use packages.

[1]:
http://eccentric-authentication.org/blog/2013/06/12/walkthrough-datingsite.html

[2]:
http://eccentric-authentication.org/blog/2012/10/22/the-worlds-most-private-dating-site.html



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140527/e386e5e1/attachment.pgp>