- From: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 12 Mar 2007 20:15:45 -0400
- To: "'Chris Drake'" <christopher@pobox.com>
- Cc: <public-usable-authentication@w3.org>
> A cookie and a > client-side cert both live in files on a users hard drive: A certificate is public information. The private key often lives in a hardware token, not a file. A cookie used for security isn't public information, yet has no protections and is often freely usable by anyone who gets hold of it. > one is optionally protected by a password on the file, the other is > optionally protected by a password on the computer. One can be sent > to any web site on request, the other can be sent only to a specific > subset of SSL verified domains (assuming secure cookies are used > instead of just any old cookie). A certificate can be sent anywhere without losing its value. A private key never leaves the client. A cookie doesn't have any of these properties. > Both are issued from some original > web site under that sites issuing policy. I don't know why you have the idea that certificates come from web sites either. I'm no PKI apologist, but this is just apples and oranges. Cookies have no place in a real security model, unfortunately we have none so they get used that way. -- Scott
Received on Tuesday, 13 March 2007 15:56:43 UTC