> A cookie and a > client-side cert both live in files on a users hard drive: A certificate is public information. The private key often lives in a hardware token, not a file. A cookie used for security isn't public information, yet has no protections and is often freely usable by anyone who gets hold of it. > one is optionally protected by a password on the file, the other is > optionally protected by a password on the computer. One can be sent > to any web site on request, the other can be sent only to a specific > subset of SSL verified domains (assuming secure cookies are used > instead of just any old cookie). A certificate can be sent anywhere without losing its value. A private key never leaves the client. A cookie doesn't have any of these properties. > Both are issued from some original > web site under that sites issuing policy. I don't know why you have the idea that certificates come from web sites either. I'm no PKI apologist, but this is just apples and oranges. Cookies have no place in a real security model, unfortunately we have none so they get used that way. -- ScottReceived on Tuesday, 13 March 2007 15:56:43 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT