[Cryptography] On the deployment of client-side certs

Jonathan Thornburg jthorn at astro.indiana.edu
Wed Nov 16 01:07:02 EST 2016

On Tue, Nov 15, 2016 at 07:09:23PM -0800, Tony Arcieri wrote:
> Plus, there's nothing to buy if you already own a smartphone. If and when
> UAF ships (it's likely to ship on Android devices at some point. iOS seems
> much more uncertain), anyone with a UAF-capable phone will be able to take
> advantage of it without having to figure out which token to buy.
> Only time will tell I guess. Maybe I'm wrong and we'll see everyone with
> hardware tokens on their keychains soon. But I think it's far more likely
> we'll see smartphones leveraged for this purpose, rather than widespread
> usage of dedicated tokens.

What happens when the user's smartphone is pwned by a carelessly-coded
or malicious app, exploiting yet another android/ios 0day?  At that point
I don't see how the "security token" gives any security improvement
over the bare (also pwned) client pc/mac.

The only way I can see to keep the security token secure is for it to
be a special-purpose device that doesn't support user-loaded software.


-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
    at any given moment.  How often, or on what system, the Thought Police
    plugged in on any individual wire was guesswork.  It was even conceivable
    that they watched everybody all the time."  -- George Orwell, "1984"

More information about the cryptography mailing list