- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Mon, 25 Jul 2011 15:12:46 +0200
- To: Henry Story <henry.story@bblfish.net>
- CC: "public-identity@w3.org" <public-identity@w3.org>
On 2011-07-25 14:35, Henry Story wrote: > > On 25 Jul 2011, at 10:23, Anders Rundgren wrote: > >> I know that lots of security experts will argue against the following but >> I don't believe TLS-client-certificate authentication in the form of HTTPS >> as implemented in browsers is a very useful authentication scheme. > > Well it is close and workable for a reasonable minority of people, but could > have mass appeal if they fixed the problems you point to below. Agreed, but there is a snag... The various PMs I have spoken to over the years have always said that there is no "business case" for consumer authentication using PKI, and they are actually quite right since their interest is limited to the US. Anders > >> >> In fact, quite a bunch of the entities in the EU working with consumer PKI >> have replaced TLS-c-a-a with an application level scheme which wasn't such >> a big deal since they anyway were forced writing a browser PKI client more >> or less from scratch since the ones shipped with browsers doesn't support >> PKI as defined by banks and government (like mandatory PIN codes also >> for on-line enrolled keys). >> >> That TLS-c-c-a/HTTPS protocol doesn't even support "logout" haven't made >> it a logical choice for web developers either. Well, there are some workarounds >> but they are by no means straightforward, and (of course) entirely undocumented. > > The clients should make logout visible to the user. It's really for the client to > log the user out. > > I think there are some server ways to send some signals, but they are not implemented > consistently. > >> >> The button "Clear SSL state" in MSIE is an indication how horribly bad it >> can go when security experts design systems for "people". >> >> There's no way you can hide the fact that TLS-c-c-a is only truly useful for >> static secure tunnels between "boxes". > > It seems to me that one can get this to work quite well. People did a lot more > with the horrible javascript space, patching broken browsers all over the place. > > So there is work the browser vendors could do here, and it would not cost them that > much to do - much less than developing new protocols. > > Henry > >> >> Anders >> > > Social Web Architect > http://bblfish.net/ > >
Received on Monday, 25 July 2011 13:13:25 UTC