[Cryptography] client certificates ... as opposed to password hashing

ianG iang at iang.org
Tue May 27 07:21:48 EDT 2014


On 27/05/2014 00:14 am, John Denker wrote:

> 3) HOWEVER >>>>> None of that really makes sense.  For the
>  same amount of work ... actually *LESS* work ...


+1


> we could
>  get a better result using client certificates.
> 
>  I'm not talking about the existing client certificates, 
>  which are a horror show:
>   http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500

As an aside, the trick is to bypass Apache config on client certs and do
it in code.  It turns out to be no worse than passwords to code & run,
much easier to manage because change is outsourced, and it lacks the
"oops-breached" moment of terror.


>  I'm talking about how it could be done, how it should be done.

Not that I'm disagreeing with that.



iang


More information about the cryptography mailing list