- From: Mitar <mmitar@gmail.com>
- Date: Tue, 1 Mar 2016 18:18:22 -0800
- To: Crispin Cowan <crispin@microsoft.com>
- Cc: Ángel González <angel@16bits.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi! On Tue, Mar 1, 2016 at 12:55 PM, Crispin Cowan <crispin@microsoft.com> wrote: > Microsoft corporate domain joined machines have certificates installed, as you might imagine. One day, doubleclick (I think) "oopsed" something in their syndicated ads, causing the ad content to request client certs. Result: *everyone* visiting ad-sponsored content sites suddenly starts getting cert prompts at random, asking to authorize a cert to authenticate to a news content site for no visible reason, or worse, to select a cert. That was a day of chaos and cranky users. But browsers should remember that they said no and this would be it? > I have *no* interest in implementing this proposal. Asking users to authorize certificates is a non-starter, users do not understand certificates and should never be asked about them. Hm, what is a difference between asking them for username and asking them for certificate identity? They choose one or another. This is it. The fact that certificate allows one to create statements which can be verified by 3rd party (signatures) is just implementation detail users should not care about. To me it is really the same thing: I want to login into the website, I choose username from my keychain to populate the password, or I choose the certificate. But the certificate also allows one to sign stuff, instead of business logic on the website assuring that because user specified username and password at a given moment they are linked to that same stuff. Imagine blog comments. Currently business logic links authorship through username/password process. With certificates 3rd party verifies could verify authorship of those comments. For user, there is no difference. Why are we making so big difference? Is it because signature could be misused? User could be tricked singing some text? But this is to me just a case of a replay attack. Then let's simply include origin/URL into the signature and this is it or some other nonce? So the browser adds origin/URL into the text before signing it. So it is clear where the signature was made and cannot be simply reused elsewhere? So, what is problematic by even automatic signing without a prompt with client certificate a form if that content would automatically include also the origin or URL (it would be added by the browser)? We would get 3rd party verifiable signatures and this would be great. Mitar -- http://mitar.tnode.com/ https://twitter.com/mitar_m
Received on Wednesday, 2 March 2016 02:18:55 UTC