- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Mon, 01 Apr 2013 12:35:24 +0200
- To: noloader@gmail.com
- CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On 2013-04-01 11:55, Jeffrey Walton wrote: <snip> > >> My guess is that the US will remain at its current position regarding >> strong authentication for consumers, i, e, at the _absolute_bottom_. > Client certificates are a good choice for client authentication, but > they suffer provisioning hardships and a number of UI issues. Yes, are these hardships incurable? > As for cell phones and second factors, that channel was breached in 2011 > (http://financialcryptography.com/mt/archives/001349.html). You will always find people who claim that they can penetrate any security system. Does this motivate us sticking to static passwords (reused at multiple sites), forever? EMV-cards are not perfect (it has been proved) but the amount of fraud performed on the EMV-level are magnitudes lower than on the non EMV-ditto. > A client certificate means the consumer could be applying his/her > secret for an insecure/unknown server. Yes, I can surely login to "BadBank" with "GoodBank"'s client-certificate. Fortunately for me "BadBank" doesn't have my money and they cannot reuse the login information to "GoodBank" either. > It seems to me if the consumer > uses a non-hardened PKI with internet profiles, then all consumers > suffer - both US and abroad. Surely you have not forgotten the Dutch > CA Diginotar's failure affected all users, and Iranian users in > particular. As I see it, a working client-side PKI would be an important part of the puzzle making the Internet more secure since attacks on public SSL PKIs would become less useful. That is, there's no single solution that "does it all" but there are some pretty well identified areas worth improving. Anders > > Jeff > >
Received on Monday, 1 April 2013 10:35:56 UTC