[Cryptography] On the deployment of client-side certs

Thierry Moreau thierry.moreau at connotech.com
Tue Nov 15 18:15:21 EST 2016

On 15/11/16 10:38 PM, Tony Arcieri wrote:
> On Tue, Nov 15, 2016 at 2:18 PM, Ray Dillinger <bear at sonic.net
> <mailto:bear at sonic.net>> wrote:
>     > Is it really that hard to convince people to carry a U2F / OpenPGP token
>     > with USB/NFC/BLE capabilities in their keychain? It shouldn't be.
>     This is actually a quite good idea.  The mental model of a keyed
>     lock, with a physical key, works reasonably well for at least some
>     plausible implementations of client-side authentication.
> I've been a big fan of FIDO for the past two years and I've really
> wanted to support U2F tokens specifically for the real-world analogy to
> keys, but I don't think it's really practical for everyone to buy a U2F
> token. I would love to see everyone using hardware tokens this way, but
> I just don't see it happening.
> That said, another FIDO standard, UAF, should enable smartphones to work
> as cryptographic authentication tokens. I think this approach is much
> more practical.

As an aside piece of information on the adoption of two-factor 
authentication, the US federal government has been the largest client 
organization with the NIST PIV program and recently had to revert to 
client device software-based solution for private key management. The 
rationale is to remain compatible with the newer mobile devices.

See NIST Special Publication 800-157, "Guidelines for Derived Personal 
Identity Verification (PIV) Credentials"


- Thierry Moreau

More information about the cryptography mailing list