- From: James A. Donald <jamesd@echeque.com>
- Date: Sun, 17 Feb 2008 08:15:57 +1000
- To: Johnathan Nightingale <johnath@mozilla.com>
- CC: Christoph Hack <c.hack@gmx.at>, public-usable-authentication@w3.org
Johnathan Nightingale wrote: > As far as I know, though I haven't looked in detail, > most modern browsers allow sites to store client > certs, and to request client certificates as part of > the TLS handshake. At present, the only way to use a client X.509 key is for the site administrator to spend considerable time and effort authorizing client keys by hand, which is in practice so laborious it is seldom done, and if done, is done wrong, breaking, rather than ensuring, security. Analogous problems arise in using TLS-SRP, and indeed in any attempt to use more modern and elegant cryptography than shared passwords for client side identification. If we support client side identification by GPG certificates or SRP unshared secrets in the same way we support client side identification using X.509 certificates, we are just as hosed as we are with X.509 certificates. TLS-GPG will be just as unworkable for client side identifification as TLS-X.509 is.
Received on Saturday, 16 February 2008 22:16:19 UTC