Re: The Certificate Agenda Point from Jeffrey Walton on 2013-04-24 (public-webcrypto-comments@w3.org from April 2013)

From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 23 Apr 2013 23:55:57 -0400
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CAH8yC8=CJmq=m3NUTh097uCi=vY22mqsbWVyRf9BQkQQH0zo=g@mail.gmail.com>

On Tue, Apr 23, 2013 at 11:19 PM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
> On 2013-04-24 07:41, Jeffrey Walton wrote:
>> On Tue, Apr 23, 2013 at 10:19 PM, Anders Rundgren
>> <anders.rundgren@telia.com> wrote:
>>> The problem in a nutshell is that the use-case for consumer-PKI only exists outside of the US while the platforms essentially are all of US origin.
>>>
>> What is consumer-PKI? A PKI that relies on a commercial CA? Or the
>> browser's use of commercial CAs and subordinates? Or perhaps a
>> application by a commercial company whose PKI uses its own private CA?
>
> Jeff,
> Your questions reveal that you are from the US :-)
Yes. I'd like to ex-pat for a few years to expand my [limited] knowledge.

> Consumer-PKI is essentially about replacing passwords with client certificates
> where the private key is often stored in hardware.
OK, my bad. I thought it might be client certs, but I could not figure
out how the agenda comment tied into client certs.

> .... two most well-known vendors in the PC-business, Microsoft
> and Intel have repeatedly rejected the idea that their new baby, the TPM 2.0
> would support consumer-PKIs.  They succeeded!
You would need to offload the certificate and crypto functions onto
hardware for it to be effective (but not fool proof). TPMs are
glorified/repurposed smart cards that don't offer the processing
horsepower needed for the offload. Economics is not going to allow the
required hardware on commodity hardware.

Also, unattended {secret|key|certificate} storage is an intractable
problem, and it cannot be solved with any hardware you throw at it.
(Or does your proposed solution require a
PIN/Password/Passphrase/Fingerprint for access?).

Finally, smartphone sales exceeded PC sales in 2011 [0]. I'm not sure
Apple and AOSP are doing any better in the mobile market than
Microsoft in the PC market.

> Android?
>
>   https://groups.google.com/forum/#!msg/android-security-discuss/6YrgoV_IuhA/j1ov3XBNI4gJ
Ah, yes. I recall seeing that whiz by. That's a usability issue.
Usability issues have plagued client certificates for years.

> Can you possibly do worse?
:)

Jeff

[0] http://www.canalys.com/newsroom/smart-phones-overtake-client-pcs-2011

Received on Wednesday, 24 April 2013 03:56:24 UTC