Gervase Markham wrote: > A question which occurred to me, and I thought I'd put before an > audience of the wise: > > * What advantages, if any, do client certs have over number-sequence > widgets such as e.g. the HSBC Secure Key, used with SSL? > > http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-key > > It seems like they have numerous disadvantages (some subjective): > > * Client certs can be invisibly stolen if a machine is compromised > * Client certs are harder to manage and reason about for an average > person > * Client certs generally expire and need replacing, with no warning > * Client certs are either single-machine, or need a probably-complex > copying process > > What are the advantages?
With client certs you don't need online access to a server backend infrastructure like for all the OTP mechs. Revocation checks can be done with simple CRLs. So it's far easier at the server's side. Ciao, Michael. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy