I don't know enough about crypto to make a decision as to whether or not enough protection is provided, but if the abstract is an accurate representation, then Nigori would fit perfectly for this task.
A quick web search doesn't seem to show any method of installing client certificates in Firefox with an extension, but there are ways of doing it quite easily with Internet Explorer (using the Windows Certificate Store). Currently Nigori only seems to support the storage of passwords and RSA keys but I imagine it wouldn't be hard to define a new type for X.509 certificates and keys. If Nigori can be standardized and then integrated into client applications (like web browsers, mail clients, anything that uses or can use TLS) then I believe we'd have half the solution. The other half would be convincing service providers to allow TLS authentication. Another thought though - How would a service provider get the public TLS cert? Typically, I've had to copy and paste the cert into a box or a config file. Another another thought - Is it a good idea to use multiple certs for different services or just one for all? Reuse shouldn't be a problem here but there may be cases I'm not thinking of. It would probably be a good idea to allow for switching "profiles" which would use a different cert store (in case of multiple accounts on one service provider). If I'm logged into my email but then want to post on a different Twitter account and switch store to log into that Twitter account, I'd not have my email anymore. Do we need a method of selecting a cert to serve to different websites and then remembering it for that session until the browser is told to use a different one? Iain. -- Iain R. Learmonth MBCS Electronics Research Group School of Engineering University of Aberdeen Kings College Aberdeen AB24 3UE Tel: +44 1224 27 2799 The University of Aberdeen is a charity registered in Scotland No.SCO13683 ________________________________________ From: Ben Laurie <[email protected]> Sent: 13 November 2013 11:54 To: Learmonth, Iain Ross Cc: Robin Wilton; perpass Subject: Re: [perpass] Stopping password sniffing On 13 November 2013 10:24, Learmonth, Iain Ross <[email protected]> wrote: > I'm talking about storing TLS client certificates encrypted in the cloud and > synchronising them across browsers, decrypting them client side with a > symmetric key generated from a password. http://www.links.org/files/nigori/nigori-protocol-01.html _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
