- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Mon, 25 Jul 2011 10:23:53 +0200
- To: "public-identity@w3.org" <public-identity@w3.org>
I know that lots of security experts will argue against the following but I don't believe TLS-client-certificate authentication in the form of HTTPS as implemented in browsers is a very useful authentication scheme. In fact, quite a bunch of the entities in the EU working with consumer PKI have replaced TLS-c-a-a with an application level scheme which wasn't such a big deal since they anyway were forced writing a browser PKI client more or less from scratch since the ones shipped with browsers doesn't support PKI as defined by banks and government (like mandatory PIN codes also for on-line enrolled keys). That TLS-c-c-a/HTTPS protocol doesn't even support "logout" haven't made it a logical choice for web developers either. Well, there are some workarounds but they are by no means straightforward, and (of course) entirely undocumented. The button "Clear SSL state" in MSIE is an indication how horribly bad it can go when security experts design systems for "people". There's no way you can hide the fact that TLS-c-c-a is only truly useful for static secure tunnels between "boxes". Anders
Received on Monday, 25 July 2011 08:24:31 UTC