On Thu, Sep 25, 2014 at 01:29:04PM +0100, Gervase Markham wrote: > A question which occurred to me, and I thought I'd put before an > audience of the wise: > > * What advantages, if any, do client certs have over number-sequence > widgets such as e.g. the HSBC Secure Key, used with SSL? > > http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-key > > It seems like they have numerous disadvantages (some subjective): > > * Client certs can be invisibly stolen if a machine is compromised
Well, the cert is quasi-public information, so it doesn't matter if they get stolen, invisibly or otherwise. The private key, on the other hand... <grin> But at any rate, just stick the key/cert in a USB HSM. Problem solved. > * Client certs are harder to manage and reason about for an average > person Hmm... I think this one could go either way. If you get a cert/key on a USB stick, is that massively different from the consumer's perspective from getting a Yubikey or number-sequence token? From a usability standpoint, the Yubikey or USB HSM is better, because it doesn't involve typing. > * Client certs generally expire and need replacing, with no warning As has been noted elsewhere, that's a UI problem, and number-sequence tokens aren't immune either. > * Client certs are either single-machine, or need a probably-complex > copying process Or a USB HSM. (I'm starting to see a pattern here) > What are the advantages? I can't think of any that others haven't already enumerated, so I'll just reaffirm that being able to embed policy OIDs in certificates is *amazingly* useful, and provides the ability to do authentication and authorization without needing an always-on, real-time-capable connection back to the mothership. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
