[Cryptography] On the deployment of client-side certs
thierry.moreau at connotech.com
Tue Nov 15 18:15:21 EST 2016
On 15/11/16 10:38 PM, Tony Arcieri wrote:
> On Tue, Nov 15, 2016 at 2:18 PM, Ray Dillinger <bear at sonic.net
> <mailto:bear at sonic.net>> wrote:
> > Is it really that hard to convince people to carry a U2F / OpenPGP token
> > with USB/NFC/BLE capabilities in their keychain? It shouldn't be.
> This is actually a quite good idea. The mental model of a keyed
> lock, with a physical key, works reasonably well for at least some
> plausible implementations of client-side authentication.
> I've been a big fan of FIDO for the past two years and I've really
> wanted to support U2F tokens specifically for the real-world analogy to
> keys, but I don't think it's really practical for everyone to buy a U2F
> token. I would love to see everyone using hardware tokens this way, but
> I just don't see it happening.
> That said, another FIDO standard, UAF, should enable smartphones to work
> as cryptographic authentication tokens. I think this approach is much
> more practical.
As an aside piece of information on the adoption of two-factor
authentication, the US federal government has been the largest client
organization with the NIST PIV program and recently had to revert to
client device software-based solution for private key management. The
rationale is to remain compatible with the newer mobile devices.
See NIST Special Publication 800-157, "Guidelines for Derived Personal
Identity Verification (PIV) Credentials"
- Thierry Moreau
More information about the cryptography