[Cryptography] client certificates ... as opposed to password hashing
Jerry Leichter
leichter at lrw.com
Wed May 28 17:20:18 EDT 2014
On May 27, 2014, at 7:47 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> Or, for that matter, a determined individual can just do it the "hard way,"
>> as described in
>> http://pages.uoregon.edu/joe/secprof2012/sec-prof-2012-client-certs.pdf
>
> That's 192 pages of very dense slides, I'd see it as more of an argument
> against using client certs than anything else....
>
> So I think the lesson from that would be "if it takes 192 pages of text to
> explain how to do X then you probably shouldn't be doing X".
I agree in principle, and in fact I even agree about client certificates, though I disagree that this particular slide show proves it. The slide show covers way too much material. A comparable slide show about pin-tumbler locks would include the disclaimer that "we won't go deeply into metallurgy, but here's the basic idea of why the pins are steel while the plug is bronze."
*Using* client certificates, once they've been set up problem, is a reasonably well solved problem in a number of existing implementations. What's not solved in any I know of - and others here have made the same comment about all the implementations *they* know of, which probably pretty much covers the space - is getting and configuring a client certificate, and beyond that knowing *what* you should get, for what purposes, and what you actually gain by having such a thing (in terms that make sense in the end-user's world).
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140528/da6187d3/attachment.bin>
More information about the cryptography
mailing list