Ben Laurie wrote: > If the problem you are trying to solve is client > authentication then client certs have some obvious > value.
But if client certs are Certificate Authority centric, then they prove that so and so's true name is so and so. They don't prove that so and so is one of our gang, which is generally what people care about. A typical situation is that someone whose legal address is in the united states, wants to order some good from an entity whose physical address is China, but whose legal address is in a tax haven, for delivery to a physical address in Singapore. True names are rather low on their list of priorities. If you want to get people to use client certificates, client certificates have to do what people want, not what governments and certification authorities want. What is needed is client certificates that work like shibboleths or gang colors. Microsoft's cardspace was a try at that idea. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
