[Cryptography] On the deployment of client-side certs

Thierry Moreau thierry.moreau at connotech.com
Tue Nov 15 09:46:07 EST 2016

On 15/11/16 09:13 AM, Natanael wrote:
> Den 15 nov 2016 09:17 skrev "Thierry Moreau"
> <thierry.moreau at connotech.com <mailto:thierry.moreau at connotech.com>>:
>  >
>  > This is a multi-million dollar question: a workable answer might
> signal a serious alternative to password-based authentication.
> [...]
>  > I have a scheme for user enrollment with this first party
> certification concept, but that's may not be applicable as a mass market
> solution since the other aspects are unresolved.
>  >
>  > Anyway in this view the user cares about the PRIVATE key, finds ways
> to carry it between devices (admittedly easier said than done), and
> self-issues certificates at will.
>  >
>  > The educational challenge is enormous since almost every security
> expert has been trained (more or less implicitly) to relegate the
> PRIVATE key protection issue as a minor system configuration management
> duty (to be isolated from the user mental model). How many security
> experts ever tried to explain (e.g. to a computer-literate user
> audience) the very foundational principle of public key digital signatures?
> I keep seeing hardware tokens being NOT mentioned.

Hardware tokens are indeed an important aspect in the longer explanation.

> Is it really that hard to convince people to carry a U2F / OpenPGP token
> with USB/NFC/BLE capabilities in their keychain? It shouldn't be.

Historically, two-factor authentication solutions has been presented as 
universal in theory, but marketed as a highly branded solution. The 
corporate treasury management services of each bank would have its own 
flavor of essentially the same concept. Switching to mass market, the 
desirable unifying operator (now Google by default?) is yet to emerge.

- Thierry Moreau

More information about the cryptography mailing list