[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Theodore Ts'o
tytso at mit.edu
Wed Apr 23 19:46:10 EDT 2025
On Wed, Apr 23, 2025 at 10:19:58AM -0400, Kent Borg wrote:
> On 4/22/25 9:16 PM, Theodore Ts'o wrote:
> > Browsers and other actors*have* been trying to solve this problem.
> > And it's called FIDO2 Passwordless Authentication.
>
> Doesn't it solve a somewhat different problem? That is, FIDO2
> Passwordless Authentication is practical details around using public
> key cryptography to do mutual authentication between a client and
> server that already have an established relationship. Enrollment is
> a problem outside its scope and it offers me no assurances when I
> try to go to https://www.somenewbank.com.
Practically, it solves the phishing problem, which is what I was
referring to. Yes, you need to know that you went to the correct
domain when you first registered. For example, while you are at the
bank, you could scan a QR code with your phone as part of opening your
bank account, and where you would be showing your bank your
identification as part of complkying with the Know Your Customer (kyc)
requirements. That QR code would guarantee that you went to the
correct https://www.somenewbank.com domain, and then you could set up
your passkey.
Since you don't use a password, to authenticate to
https://www.somenewbank.com, you don't have to worry about your
password, or other authentication credentials, being phished.
- Ted
More information about the cryptography
mailing list