[144785] in cryptography@c2.net mail archive
Re: Client Certificate UI for Chrome?
daemon@ATHENA.MIT.EDU (James A. Donald)
Wed Aug 26 22:19:33 2009
Date: Thu, 27 Aug 2009 09:36:44 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Ben Laurie <benl@google.com>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, cryptography@metzdowd.com
In-Reply-To: <1b587cab0908260326v40cca144yfb8bb378b59fae71@mail.gmail.com>
Ben Laurie wrote:
> If the problem you are trying to solve is client
> authentication then client certs have some obvious
> value.
But if client certs are Certificate Authority centric,
then they prove that so and so's true name is so and so.
They don't prove that so and so is one of our gang,
which is generally what people care about.
A typical situation is that someone whose legal address
is in the united states, wants to order some good from
an entity whose physical address is China, but whose
legal address is in a tax haven, for delivery to a
physical address in Singapore. True names are rather
low on their list of priorities.
If you want to get people to use client certificates,
client certificates have to do what people want, not
what governments and certification authorities want.
What is needed is client certificates that work like
shibboleths or gang colors. Microsoft's cardspace
was a try at that idea.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
