[Cryptography] Toxic Combination
Guido Witmond
guido at witmond.nl
Thu Dec 4 10:10:31 EST 2014
On 04-12-14 08:21, Peter Gutmann wrote:
> Ben Laurie <benl at google.com> writes:
>> And it has to be secure - which includes "not allow credential theft _even by
>> the site operator_".
>
> Oh, that's a new one: Set a requirement that can't possibly be met (except
> perhaps through the use of magic) and then claim you can't meet that
> requirement, therefore it's not worth doing.
>
Gentlemen, there's no need to argue. I claim this requirement can be met
(and without magic).
Just as there is a Certificate Transparency project for server
certificates we need a similar thing for client certificates. I call it
the Registry of Dishonesty. [0] [1]
And there is a demo too:
download: http://eccentric-authentication.org/download/ecca-proxy.tgz
install: libunbound2 and perhaps libsqlite3
run it ./ecca-proxy
then configure your browser to use 127.0.0.1:8000 as http proxy.
browse to: http://dating.wtmnd.nl:10443/
or: http://cryptoblog.wtmnd.nl:10500/
Happy hacking.
Regards, Guido Witmond.
0:
http://eccentric-authentication.org/blog/2014/03/26/how-to-design-a-distributed-client-certificate-verification-service.html
1:
http://eccentric-authentication.org/eccentric-authentication/global_registry_of_dishonesty.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141204/28b9417c/attachment.sig>
More information about the cryptography
mailing list