[Cryptography] On the deployment of client-side certs

[Phillip Hallam-Baker]

On Mon, Nov 14, 2016 at 5:45 PM, Ray Dillinger <bear at sonic.net> wrote:

> In response to recent discussion on the list:
>

​...​


> How can we change that?  What can we do to make it easier to do, provide
> a transition path toward, and get pinning, certificate checking, and
> revocation list checking integrated on hosts and cert generation/use
> integrated into clients?  And make it simple and easy for consumers to
> share their certs from multiple devices, reliably remove them from
> devices before loan or sale, and revoke-and-replace whenever one of
> their devices with a copy of their cert gets stolen?
>
>
​This is exactly what I am working to do with the Mathematical Mesh.

http://prismproof.org

I have just uploaded a new site with all new content.

The Mesh is a user centric PKI for managing client side keys. It makes
using computers easier by making them more secure.

The only configuration the user is ever asked to do is to confirm
fingerprints when adding or removing devices. That is it. Everything else
is automatic. Certificate enrollment, renewal, everything. The code
supports X.509, SSH and OpenPGP format keys.

​Keys are rigorously separated by function and device. So if you are
logging in to a machine using Mesh authentication, each device you own has
a separate authentication key. That makes it possible to de-authorize the
key if the device is lost or stolen without having to do anything drastic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161115/b2a1c200/attachment.html>