W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: TLS-client-certificate-authentication - NOT

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 26 Jul 2011 11:02:33 -0500
Message-ID: <CAK3OfOh3=x38+je4NDPVZmWy29_-89z5y99xjC4giwr3dOv8Ww@mail.gmail.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: "public-identity@w3.org" <public-identity@w3.org>
On Jul 25, 2011 4:24 AM, "Anders Rundgren" <anders.rundgren@telia.com>
wrote:
>
> I know that lots of security experts will argue against the following but
> I don't believe TLS-client-certificate authentication in the form of HTTPS
> as implemented in browsers is a very useful authentication scheme.
>
> In fact, quite a bunch of the entities in the EU working with consumer PKI
> have replaced TLS-c-a-a with an application level scheme which wasn't such
> a big deal since they anyway were forced writing a browser PKI client more
> or less from scratch since the ones shipped with browsers doesn't support
> PKI as defined by banks and government (like mandatory PIN codes also
> for on-line enrolled keys).

Right, an application-layer solution can work -- indeed I've proposed just
such thing myself.  The only thing I'd caution you about is the need for
channel binding of you rely on TLS for transport protection, but this is
relatively straightforward.

Nico
--
Received on Tuesday, 26 July 2011 16:03:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 July 2011 16:03:09 GMT