[Cryptography] On the deployment of client-side certs

Natanael natanael.l at gmail.com
Tue Nov 15 04:13:15 EST 2016

Den 15 nov 2016 09:17 skrev "Thierry Moreau" <thierry.moreau at connotech.com>:
> This is a multi-million dollar question: a workable answer might signal a
serious alternative to password-based authentication.


> I have a scheme for user enrollment with this first party certification
concept, but that's may not be applicable as a mass market solution since
the other aspects are unresolved.
> Anyway in this view the user cares about the PRIVATE key, finds ways to
carry it between devices (admittedly easier said than done), and
self-issues certificates at will.
> The educational challenge is enormous since almost every security expert
has been trained (more or less implicitly) to relegate the PRIVATE key
protection issue as a minor system configuration management duty (to be
isolated from the user mental model). How many security experts ever tried
to explain (e.g. to a computer-literate user audience) the very
foundational principle of public key digital signatures?

I keep seeing hardware tokens being NOT mentioned.

Is it really that hard to convince people to carry a U2F / OpenPGP token
with USB/NFC/BLE capabilities in their keychain? It shouldn't be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161115/b165f01b/attachment.html>

More information about the cryptography mailing list