W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: TLS-client-certificate-authentication - NOT

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 25 Jul 2011 15:22:03 +0200
Cc: "public-identity@w3.org" <public-identity@w3.org>
Message-Id: <5C0F1C52-666C-49B5-9631-CDD8D66A0FD2@bblfish.net>
To: Anders Rundgren <anders.rundgren@telia.com>

On 25 Jul 2011, at 15:12, Anders Rundgren wrote:

> On 2011-07-25 14:35, Henry Story wrote:
>> On 25 Jul 2011, at 10:23, Anders Rundgren wrote:
>>> I know that lots of security experts will argue against the following but
>>> I don't believe TLS-client-certificate authentication in the form of HTTPS
>>> as implemented in browsers is a very useful authentication scheme.
>> Well it is close and workable for a reasonable minority of people, but could
>> have mass appeal if they fixed the problems you point to below.
> Agreed, but there is a snag...
> The various PMs I have spoken to over the years have always said that there
> is no "business case" for consumer authentication using PKI, and they are
> actually quite right since their interest is limited to the US.

Well of course they say that, because they just work with what they see is 
possible. It is as if you asked people before planes were out if there was much
Interest among businessmen in magic carpets.  Or to take something closer to home,
what do you think the interest in the AJAX technology stack was before google showed
what could be done with it? So the problem here is not the technology - tough that can 
be improved - but the understanding of the technology. And if you don't see that all
that will happen is that people will go off and make exactly the same mistake with
the next attempt. Even worse, because they won't have seen that they were standing
right next to the answer.

Anyway, I don't think there is much movement on this list. Not sure if it is really
worth discussing here.


> Anders
>>> In fact, quite a bunch of the entities in the EU working with consumer PKI
>>> have replaced TLS-c-a-a with an application level scheme which wasn't such
>>> a big deal since they anyway were forced writing a browser PKI client more
>>> or less from scratch since the ones shipped with browsers doesn't support
>>> PKI as defined by banks and government (like mandatory PIN codes also
>>> for on-line enrolled keys).
>>> That TLS-c-c-a/HTTPS protocol doesn't even support "logout" haven't made
>>> it a logical choice for web developers either.  Well, there are some workarounds
>>> but they are by no means straightforward, and (of course) entirely undocumented.
>> The clients should make logout visible to the user. It's really for the client to
>> log the user out. 
>> I think there are some server ways to send some signals, but they are not implemented
>> consistently.
>>> The button "Clear SSL state" in MSIE is an indication how horribly bad it
>>> can go when security experts design systems for "people".
>>> There's no way you can hide the fact that TLS-c-c-a is only truly useful for
>>> static secure tunnels between "boxes".
>> It seems to me that one can get this to work quite well. People did a lot more
>> with the horrible javascript space, patching broken browsers all over the place.
>> So there is work the browser vendors could do here, and it would not cost them that
>> much to do - much less than developing new protocols. 
>> Henry
>>> Anders
>> Social Web Architect
>> http://bblfish.net/

Social Web Architect
Received on Monday, 25 July 2011 13:22:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC