[Cryptography] client certificates ... as opposed to password hashing
ianG
iang at iang.org
Tue May 27 07:21:48 EDT 2014
On 27/05/2014 00:14 am, John Denker wrote:
> 3) HOWEVER >>>>> None of that really makes sense. For the
> same amount of work ... actually *LESS* work ...
+1
> we could
> get a better result using client certificates.
>
> I'm not talking about the existing client certificates,
> which are a horror show:
> http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
As an aside, the trick is to bypass Apache config on client certs and do
it in code. It turns out to be no worse than passwords to code & run,
much easier to manage because change is outsourced, and it lacks the
"oops-breached" moment of terror.
> I'm talking about how it could be done, how it should be done.
Not that I'm disagreeing with that.
iang
More information about the cryptography
mailing list