[Cryptography] client certificates ... as opposed to password hashing

ianG iang at iang.org
Wed May 28 04:38:04 EDT 2014


On 27/05/2014 22:48 pm, Steve Weis wrote:
...
> In general, initial setup per device for client-side certs is still a
> pain, as is maintaining support across many different platforms and
> browsers. That's why I think client-side certificates have really only
> worked for organizations with closed sets of users and full-time
> support staffs.

Yep, concur.

> However, for mobile apps, client-side certs might work well if they
> were generated upon installation, without any user interaction.

If you're in your own app, talking to your own server then you might as
well use something better than certs/PKI/x.509.  The heavy lifting will
be less, the customisation will be real, and the experience can avoid
all the minefields.


> For
> example, Twitter's app is generating a client-side keypair for login
> verification, which is somewhat acting like a client-side certificate:
> https://blog.twitter.com/2013/login-verification-on-twitter-for-iphone-and-android


Like Twitter ... the point of client certs is only when you you're using
the web as per Mozilla-think.



iang



More information about the cryptography mailing list