- From: Jeffrey Walton <noloader@gmail.com>
- Date: Tue, 23 Feb 2016 05:34:57 -0500
- To: Henry Story <henry.story@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Microsoft are also behind the W3C TAG (Techncial Architecture Group) finding > on client certificates > > http://w3ctag.github.io/client-certificates/ > > I'd suggest reading that for guidance rather than the rumour mill. Well, its kind of disingenuous that companies who make browsers are against it and they present their claims. The security model and threat models used for the web are broken. They are simply not realistic, and they represent some netherland that does not exist for most users. "Interception is a valid use case" is ghastly, including the abomination known as Public Key Pinning with Overrides. Claiming authority for it in the W3C's Priority of Constituencies is tenuous at best. Even the IETF is embarrassed by that standard. The browser's inability to work with client certificates is one of the reasons the browser is delegated to low value data only. And not surprisingly, the same companies building the browsers tell you its OK to handle high value data, and store the data in their clouds. Its like trying to ask a drunk if he is drunk, and trying to get a straight answer... Client Certificates have long been the way we have combatted the chronic mishandling of secrets perpetuated by browsers. Jeff
Received on Tuesday, 23 February 2016 10:35:29 UTC