[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Christian Huitema
huitema at huitema.net
Wed Apr 23 20:15:28 EDT 2025
On 4/23/2025 4:46 PM, Theodore Ts'o wrote:
> On Wed, Apr 23, 2025 at 10:19:58AM -0400, Kent Borg wrote:
>> On 4/22/25 9:16 PM, Theodore Ts'o wrote:
>>> Browsers and other actors*have* been trying to solve this problem.
>>> And it's called FIDO2 Passwordless Authentication.
>> Doesn't it solve a somewhat different problem? That is, FIDO2
>> Passwordless Authentication is practical details around using public
>> key cryptography to do mutual authentication between a client and
>> server that already have an established relationship. Enrollment is
>> a problem outside its scope and it offers me no assurances when I
>> try to go tohttps://www.somenewbank.com.
> Practically, it solves the phishing problem, which is what I was
> referring to. Yes, you need to know that you went to the correct
> domain when you first registered. For example, while you are at the
> bank, you could scan a QR code with your phone as part of opening your
> bank account, and where you would be showing your bank your
> identification as part of complkying with the Know Your Customer (kyc)
> requirements. That QR code would guarantee that you went to the
> correcthttps://www.somenewbank.com domain, and then you could set up
> your passkey.
As a side note, client authentication could also protection against
MITM, especially if integrated with TLS. Something like the server
asking the client, "please hash a derivative of the session key with
your password". In case of MITM, the session key seen by the server is
different from that seen by the client, and the authentication fails.
That's a neat way to detect the "transparent proxies" used in some
corporate networks.
-- Christian Huitema
More information about the cryptography
mailing list