Gervase Markham schrieb: > A question which occurred to me, and I thought I'd put before an > audience of the wise: > > * What advantages, if any, do client certs have over number-sequence > widgets such as e.g. the HSBC Secure Key, used with SSL? > > http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-key > > It seems like they have numerous disadvantages (some subjective): > > * Client certs can be invisibly stolen if a machine is compromised > * Client certs are harder to manage and reason about for an average > person > * Client certs generally expire and need replacing, with no warning > * Client certs are either single-machine, or need a probably-complex > copying process > > What are the advantages?
With client certs you can build very nice infrastructures which deliver: * Single identity across multiple services without the need to integrate all services into an OTP structure. * Deployable with services from different organisations. * Some kind of "single sign on" for all services on one host (because the browser remembers the latest selected certificate for a given host). * Issuance under strict policies. This helps organisations to enforce security standards and accountability. * Relatively easy to implement on the server side. * Requires https (no possibility to accidentially open a non-https-login-page). * Possibility for central revocation management on the server side. * Possibility to integrate mail encryption and document signatures. Jürgen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
