W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 23 Feb 2016 05:34:57 -0500
Message-ID: <CAH8yC8nEND1zbGEn0-JFzXjuTB4deof6pm_Kb46oVmKLHH5F0g@mail.gmail.com>
To: Henry Story <henry.story@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Microsoft are also behind the W3C TAG (Techncial Architecture Group) finding
> on client certificates
>
>   http://w3ctag.github.io/client-certificates/
>
> I'd suggest reading that for guidance rather than the rumour mill.

Well, its kind of disingenuous that companies who make browsers are
against it and they present their claims. The security model and
threat models used for the web are broken. They are simply not
realistic, and they represent some netherland that does not exist for
most users.

"Interception is a valid use case" is ghastly, including the
abomination known as Public Key Pinning with Overrides. Claiming
authority for it in the W3C's Priority of Constituencies is tenuous at
best. Even the IETF is embarrassed by that standard.

The browser's inability to work with client certificates is one of the
reasons the browser is delegated to low value data only. And not
surprisingly, the same companies building the browsers tell you its OK
to handle high value data, and store the data in their clouds. Its
like trying to ask a drunk if he is drunk, and trying to get a
straight answer...

Client Certificates have long been the way we have combatted the
chronic mishandling of secrets perpetuated by browsers.

Jeff
Received on Tuesday, 23 February 2016 10:35:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC