Re: TLS-client-certificate-authentication - NOT

On 25 Jul 2011, at 10:23, Anders Rundgren wrote:

> I know that lots of security experts will argue against the following but
> I don't believe TLS-client-certificate authentication in the form of HTTPS
> as implemented in browsers is a very useful authentication scheme.

Well it is close and workable for a reasonable minority of people, but could
have mass appeal if they fixed the problems you point to below.

> 
> In fact, quite a bunch of the entities in the EU working with consumer PKI
> have replaced TLS-c-a-a with an application level scheme which wasn't such
> a big deal since they anyway were forced writing a browser PKI client more
> or less from scratch since the ones shipped with browsers doesn't support
> PKI as defined by banks and government (like mandatory PIN codes also
> for on-line enrolled keys).
> 
> That TLS-c-c-a/HTTPS protocol doesn't even support "logout" haven't made
> it a logical choice for web developers either.  Well, there are some workarounds
> but they are by no means straightforward, and (of course) entirely undocumented.

The clients should make logout visible to the user. It's really for the client to
log the user out. 

I think there are some server ways to send some signals, but they are not implemented
consistently.

> 
> The button "Clear SSL state" in MSIE is an indication how horribly bad it
> can go when security experts design systems for "people".
> 
> There's no way you can hide the fact that TLS-c-c-a is only truly useful for
> static secure tunnels between "boxes".

It seems to me that one can get this to work quite well. People did a lot more
with the horrible javascript space, patching broken browsers all over the place.

So there is work the browser vendors could do here, and it would not cost them that
much to do - much less than developing new protocols. 

Henry

> 
> Anders
> 

Social Web Architect
http://bblfish.net/

Received on Monday, 25 July 2011 12:36:22 UTC