[Cryptography] Toxic Combination

Guido Witmond guido at witmond.nl
Thu Dec 4 10:10:31 EST 2014

On 04-12-14 08:21, Peter Gutmann wrote:
> Ben Laurie <benl at google.com> writes:
>> And it has to be secure - which includes "not allow credential theft _even by
>> the site operator_".
> Oh, that's a new one: Set a requirement that can't possibly be met (except
> perhaps through the use of magic) and then claim you can't meet that
> requirement, therefore it's not worth doing.

Gentlemen, there's no need to argue. I claim this requirement can be met
(and without magic).

Just as there is a Certificate Transparency project for server
certificates we need a similar thing for client certificates. I call it
the Registry of Dishonesty. [0] [1]

And there is a demo too:

download: http://eccentric-authentication.org/download/ecca-proxy.tgz
install: libunbound2 and perhaps libsqlite3
run it  ./ecca-proxy

then configure your browser to use as http proxy.
browse to: http://dating.wtmnd.nl:10443/
or:        http://cryptoblog.wtmnd.nl:10500/

Happy hacking.

Regards, Guido Witmond.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141204/28b9417c/attachment.sig>

More information about the cryptography mailing list