Have folks looked at http://www.mozilla.org/persona/
It's essentially JSON certificates for client authentication. Implementing this at the application layer allows them to have a better user experience as well as better client compatibility. Sent from my iPhone On Oct 10, 2012, at 8:54 AM, Steven Bellovin <[email protected]> wrote: > > On Oct 10, 2012, at 9:09 AM, Ben Laurie <[email protected]> wrote: > >> On Wed, Oct 10, 2012 at 1:44 PM, Guido Witmond <[email protected]> wrote: >>> Hello Everyone, >>> >>> I'm proposing to revitalise an old idea. With a twist. >>> >>> The TL;DR: >>> >>> 1. Ditch password based authentication over the net; >>> >>> 2. Use SSL client certificates instead; >>> >>> Here comes the twist: >>> >>> 3. Don't use the few hundred global certificate authorities to sign >>> the client certificates. These CA's require extensive identity >>> validations before signing a certificate. These certificates are >>> only useful when the real identity is needed. >>> Currently, passwords provide better privacy but lousy security; >>> >>> 4. Instead: install a CA-signer at every website that signs >>> certificates that are only valid for that site. Validation >>> requirement before signing: CN must be unique. >> >> http://tools.ietf.org/html/draft-balfanz-tls-obc-01 > > Sorry, I hit accidentally hit "Send". > > The issue with any sort of client-side certs is private key availability, > and in particular moving it from client machine to client machine. (I > personally use about 4 different computers and three phones/tablets. I > need a secure, privacy-preserving mechanism to synchronize my key store.) > > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
