W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

TLS-client-certificate-authentication - NOT

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Mon, 25 Jul 2011 10:23:53 +0200
Message-ID: <4E2D2819.1070903@telia.com>
To: "public-identity@w3.org" <public-identity@w3.org>
I know that lots of security experts will argue against the following but
I don't believe TLS-client-certificate authentication in the form of HTTPS
as implemented in browsers is a very useful authentication scheme.

In fact, quite a bunch of the entities in the EU working with consumer PKI
have replaced TLS-c-a-a with an application level scheme which wasn't such
a big deal since they anyway were forced writing a browser PKI client more
or less from scratch since the ones shipped with browsers doesn't support
PKI as defined by banks and government (like mandatory PIN codes also
for on-line enrolled keys).

That TLS-c-c-a/HTTPS protocol doesn't even support "logout" haven't made
it a logical choice for web developers either.  Well, there are some workarounds
but they are by no means straightforward, and (of course) entirely undocumented.

The button "Clear SSL state" in MSIE is an indication how horribly bad it
can go when security experts design systems for "people".

There's no way you can hide the fact that TLS-c-c-a is only truly useful for
static secure tunnels between "boxes".

Received on Monday, 25 July 2011 08:24:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC