[Cryptography] On the deployment of client-side certs
bascule at gmail.com
Wed Nov 16 02:41:19 EST 2016
On Tue, Nov 15, 2016 at 10:07 PM, Jonathan Thornburg <
jthorn at astro.indiana.edu> wrote:
> What happens when the user's smartphone is pwned by a carelessly-coded
> or malicious app, exploiting yet another android/ios 0day? At that point
> I don't see how the "security token" gives any security improvement
> over the bare (also pwned) client pc/mac.
Clearly a dedicated hardware token (or something like the new Apple T1 chip
+ Touch Bar) has better security properties than a smartphone which is
running user-installable software.
But that's not what I was talking about. I was talking about which one is
more likely to be adopted. In that regard I think something that runs on
smartphones will beat a dedicated device any day.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography