[Cryptography] client certificates ... as opposed to password hashing
John Denker
jsd at av8n.com
Tue May 27 18:04:20 EDT 2014
There have been a number of good comments in this thread.
I won't go into details about the stuff we agree on.
OTOH, there are a couple of points that might beneifit
from correction or clarification:
The client certificate does not need to be signed ... not
signed before use, anyway. By way of analogy, note that
in the present e-commerce scheme, my password is not signed!
So an unsigned certificate can do everything a password can
do, and more.
Doing without the third-party signature greatly simplifies
the process of creating the certificate. This improves the
user experience.
Note that Joe User can easily have a separate certificate-
pair for each merchant. The certificate manager can handle
this with ease. (I already use a different email and different
password for each merchant, and have done for many years.)
=========
As a related point, dealing with certificates does create
a burden on the user ... but dealing with passwords (with
any semblance of security) also creates a burden. Also,
having your account information compromised every few
months (Target, eBay, ...) also creates a burden!
On 05/27/2014 01:53 AM, Guido Witmond wrote:
> I'm looking for sponsors to make the browser plugin and the server
> side certificate handling into easy to use packages.
I reckon Citibank should sponsor something like this. The
US e-commerce sector is on the order of 350 gigabucks per
year. Insecurity is already making people less willing to
shop online. You could make a pretty strong business case
that improving security and usability are worth the cost.
More information about the cryptography
mailing list