[Cryptography] On the deployment of client-side certs
Jerry Leichter
leichter at lrw.com
Tue Nov 15 05:08:11 EST 2016
A system based on a client-side certificate consists of the following on the client side:
1. A private/public key pair;
2. Secure storage of the private key;
3. Secure computation of a signature using the private key;
4. Delivery of the public key along with appropriate signed material.
Both steps 2 and 3 represent the key implementation requirement: A secure mechanism to hold and apply a private key.
Given the hardware necessary to do that, wouldn't it be easier, more efficient, and less likely to leak identity information to use it to implement a password-authenticated key agreement protocol like SRP? Note that the "password", being stored in the secure hardware rather than the user's head, can be an arbitrary bitstring.
-- Jerry
More information about the cryptography
mailing list