[Cryptography] On the deployment of client-side certs
iang at iang.org
Mon Nov 14 22:07:42 EST 2016
On 14/11/2016 17:45, Ray Dillinger wrote:
> [client-certs rule but aren't used...]
> How can we change that?
That is the question.
> What can we do to make it easier to do, provide
> a transition path toward, and get pinning, certificate checking, and
> revocation list checking integrated on hosts and cert generation/use
> integrated into clients? And make it simple and easy for consumers to
> share their certs from multiple devices, reliably remove them from
> devices before loan or sale, and revoke-and-replace whenever one of
> their devices with a copy of their cert gets stolen?
I think the headline problem is basically down to the poor GUI, the poor
management of client certs. Which is down to the lack of interest in
the browser vendors developing it, or experimenting with alternates such
as self-signed certs. Which is down to the CAs being terrified of
anyone futzing with their business model.
It's actually quite easy. I programmed a fully client cert site in PHP
about 6 years back, for the experience. In the end I concluded it was
as easy as programming up with passwords, and a lot more friendly and
usable for the users. It is of course much more secure at the
No more lost passwords! Which seems to be about half the user support
costs and a big security risk eliminated. Of course what this does is
shift the burden across to the users needing to get/keep certs, so the
work becomes much more beneficial if one has several sites to program
up, and share the bounty.
Hence the strategy that emerged was to pull the users on to one key site
that they all had to go through with client certs to get access. Then
the rest came for free.
More information about the cryptography