[144718] in cryptography@c2.net mail archive
Re: Client Certificate UI for Chrome?
daemon@ATHENA.MIT.EDU (Frank Siebenlist)
Tue Aug 11 11:51:09 2009
Cc: Frank Siebenlist <franks@mcs.anl.gov>
From: Frank Siebenlist <franks@mcs.anl.gov>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>,
cryptography@metzdowd.com
In-Reply-To: <E1MZ2PF-0007Rc-PA@wintermute02.cs.auckland.ac.nz>
Date: Mon, 10 Aug 2009 14:51:46 -0700
[Moderator's note: top posting considered harmful:
http://www.mail-archive.com/cryptography@metzdowd.com/msg09287.html
--Perry]
Just to complicate things a little... we're working with a number of
groups now who are using onlineCAs that issue short-lived x509 certs
derived from a primary authN mechanism like passwords or OTP.
It would be great to bake that functionality into chrome: use TLS-SRP/
PSK to authN to an onlineCA to obtain your short-lived cert in real-
time.
-Frank.
On Aug 6, 2009, at 5:49 AM, Peter Gutmann wrote:
> Ben Laurie <benl@google.com> writes:
>
>> So, I've heard many complaints over the years about how the UI for
>> client certificates sucks. Now's your chance to fix that problem -
>> we're in the process of thinking about new client cert UI for Chrome,
>> and welcome any input you might have. Obviously fully-baked proposals
>> are more likely to get attention than vague suggestions.
>
> This is predicated on the assumption that it's possible to make
> certificates
> usable for general users. All the empirical evidence we have to
> date seems to
> point to this not being the case. Wouldn't it be better to say
> "What can we
> do to replace certificates with something that works?", for example
> TLS-SRP
> or TLS-PSK?
>
> Peter.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---
Frank Siebenlist - franks@mcs.anl.gov
The Globus Alliance | Argonne National Laboratory | University of
Chicago
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
