On Tue, Jan 8, 2013 at 8:40 AM, ianG <[email protected]> wrote: > >> IMO, the answer to phishing is to solve the password problem, and the >> solution to the password problem is really good password managers. But >> I haven't had much luck selling that solution. Probably because, >> rather like Peter's solution, it has a largish element of fluff. > > > > Nod. Actually, using client certs gets you most of the way there [0]. But > like passwords, we need to replace the bad password manager (aka the human) > with a better password manager, in software. So the solution is the same.
Quite so. What I didn't bother to expand on, but its clearly the end game, is once you have a really good password manager then it can manage other secrets, such as private keys, and since we've cut the human out of the interaction part of signing in, they will be just as usable as passwords. But with clearly superior security properties. > [0] Point being that if one does the analysis, client certs dominate > passwords at many levels. Especially when we've got away from insisting > that a password be memorable, something I'm sure everyone here understands. > > So why aren't client certs the focus of more attention? Well, I will leave > a conjecture on the table: because the CAs have a lot of trouble selling > them, and the vendor teams work closely with CAs and other infrastructure > sellers of PKI software. So, the vendor teams see no demand. I will readily agree that this is why CAs aren't doing research on client certs, but they're hardly the only actors in this world. My experience is that client certs do not get focus because they have a horrible UI, because they shift the user experience from the website to the browser and because there's no good story for portability (i.e. moving them between devices). There are also secondary issues, like privacy concerns. I guess I should mention another thing Google is doing at this point: http://www.browserauth.net/. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
