[Cryptography] On the deployment of client-side certs

Tony Arcieri bascule at gmail.com
Wed Nov 16 02:41:19 EST 2016

On Tue, Nov 15, 2016 at 10:07 PM, Jonathan Thornburg <
jthorn at astro.indiana.edu> wrote:

> What happens when the user's smartphone is pwned by a carelessly-coded
> or malicious app, exploiting yet another android/ios 0day?  At that point
> I don't see how the "security token" gives any security improvement
> over the bare (also pwned) client pc/mac.

Clearly a dedicated hardware token (or something like the new Apple T1 chip
+ Touch Bar) has better security properties than a smartphone which is
running user-installable software.

But that's not what I was talking about. I was talking about which one is
more likely to be adopted. In that regard I think something that runs on
smartphones will beat a dedicated device any day.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161115/6eae6bc5/attachment.html>

More information about the cryptography mailing list