client certs) you
cannot simply reset its TLS state. You have to restart the browser.
This is only one minor detail why client certs are not used.
Ciao, Michael. (currently playing around again with a PKI product which uses
client certs and crypto token)
_
A relevant point here is that one of the main reasons for the difficulty in
using client certs was a preposterous patent claim to the implementation of
RSA in a hardware device with a USB serial interface.
I kid you not.
That might not be as much of an issue these days. The patent might have
Gervase Markham wrote:
> A question which occurred to me, and I thought I'd put before an
> audience of the wise:
>
> * What advantages, if any, do client certs have over number-sequence
> widgets such as e.g. the HSBC Secure Key, used with SSL?
>
> http://www.hsbc.
Am 2014-09-25 um 14:29 schrieb Gervase Markham:
> What are the advantages?
One-time passwords can be phished, certs can't.
Kind regards,
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam fi
On 06/10/14 14:13, Phillip Hallam-Baker wrote:
> I have the configurator running for Windows Live Mail and I will add
> outlook soon. But I abandoned the attempt to do T-bird because I just
> can't get the dev system running on my Windows box despite more than a
> day trying. The documentation is i
On Thu, Sep 25, 2014 at 8:29 AM, Gervase Markham wrote:
> A question which occurred to me, and I thought I'd put before an
> audience of the wise:
>
> * What advantages, if any, do client certs have over number-sequence
> widgets such as e.g. the HSBC Secure Key, use
On Fri, Sep 26, 2014 at 1:09 PM, Ryan Sleevi
wrote:
> There is so much usability failure in smart cards that I've
> worked quite hard to keep them out of scope of W3C Web Crypto WG
Thank you.
> (which,
> unfortunately, looks like that may fail in the rechartering and all hell
> will break lose).
n important difference compared with client certs, particularly when
exposed programatically.
Further, by defining a limited signing protocol, as opposed to the common
"sign this hash" in smart cards, you avoid issues where your email program
has the same access as your tax filing program an
separate device like Secure Key that you don't plug in to anything.My guess is that that's where they are coming from--the effectiveness of reducing risk weighed against the cost of bank fraud. Relying on client certs wouldn't sufficiently reduce that risk.Still, it's possible t
; > > audience of the wise:
> > >
> > > * What advantages, if any, do client certs have over number-sequence
> > > widgets such as e.g. the HSBC Secure Key, used with SSL?
> >
> > That needs to be thoroughly checked, but I think it also renders MitM
ce of the wise:
> >>
> >> * What advantages, if any, do client certs have over number-sequence
> >> widgets such as e.g. the HSBC Secure Key, used with SSL?
> >>
> >> http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-key
>
>
On Fri, September 26, 2014 2:06 am, Gervase Markham wrote:
> On 25/09/14 22:33, Matt Palmer wrote:
> >> * Client certs can be invisibly stolen if a machine is compromised
> >
> > Well, the cert is quasi-public information, so it doesn't matter if they
> > get
On Fri, September 26, 2014 2:39 am, Erwann Abalea wrote:
> Le jeudi 25 septembre 2014 14:29:04 UTC+2, Gervase Markham a écrit :
> > A question which occurred to me, and I thought I'd put before an
> > audience of the wise:
> >
> > * What advantages, if any,
Le jeudi 25 septembre 2014 14:29:04 UTC+2, Gervase Markham a écrit :
> A question which occurred to me, and I thought I'd put before an
> audience of the wise:
>
> * What advantages, if any, do client certs have over number-sequence
> widgets such as e.g. the HSBC Secur
Gervase Markham schrieb:
> A question which occurred to me, and I thought I'd put before an
> audience of the wise:
>
> * What advantages, if any, do client certs have over number-sequence
> widgets such as e.g. the HSBC Secure Key, used with SSL?
>
> http://www.hsbc.
On 25/09/14 22:33, Matt Palmer wrote:
>> * Client certs can be invisibly stolen if a machine is compromised
>
> Well, the cert is quasi-public information, so it doesn't matter if they get
> stolen, invisibly or otherwise. The private key, on the other hand...
> But at a
On 25/09/14 17:53, Robin Alden wrote:
> I can send out a million client certificates for negligible
> cost.
Good point.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-securi
On Fri, Sep 26, 2014 at 12:33 AM, Matt Palmer wrote:
> On Thu, Sep 25, 2014 at 01:29:04PM +0100, Gervase Markham wrote:
>> A question which occurred to me, and I thought I'd put before an
>> audience of the wise:
>>
>> * What advantages, if any, do client
On Thu, Sep 25, 2014 at 01:29:04PM +0100, Gervase Markham wrote:
> A question which occurred to me, and I thought I'd put before an
> audience of the wise:
>
> * What advantages, if any, do client certs have over number-sequence
> widgets such as e.g. the HSBC Secur
Also, policy and authorization is often embedded in client certs.
Software that knows how to read this information can provide permissions
based on the included policy. This is used by first responders and large
distributed networks where the credential acts as their permission to
participate
m: dev-security-policy [mailto:dev-security-policy-
> bounces+robin=comodo@lists.mozilla.org] On Behalf Of Gervase
> Markham
> Sent: 25 September 2014 13:29
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Client certs
>
> A question which occurred to me, and
On 2014-09-25 15:12, Gervase Markham wrote:
simply means that you can only use it on a computer
which has an appropriate and available slot for the token to go into.
They can usually be connected using USB, but it's probably not easy to
connect that to your phone, and you probably don't always
On 25/09/14 13:53, Kurt Roeckx wrote:
> On 2014-09-25 14:29, Gervase Markham wrote:
>> A question which occurred to me, and I thought I'd put before an
>> audience of the wise:
>>
>> * What advantages, if any, do client certs have over number-sequence
>>wi
On 25/09/14 13:45, Michał Purzyński wrote:
> In order to leak the private cert you need to compromise the host.
> Leaking the password is easier - you can compromise the web
> application, the target server, the target company or the client’s
> machine. You have a few more attack vectors with passw
On 25/09/14 13:43, Steve Roylance wrote:
> You can encrypt communications if you have a public/private key pair
You can; although most often that's provided by the server in the model
of computing most prevalent on the web today.
> You can digitally sign (with the full support of digital signatu
On 2014-09-25 14:29, Gervase Markham wrote:
A question which occurred to me, and I thought I'd put before an
audience of the wise:
* What advantages, if any, do client certs have over number-sequence
widgets such as e.g. the HSBC Secure Key, used with SSL?
You seem to be unde
+password on it.
Everyone, except the company I was working for :-)
On 25 Sep 2014, at 14:29, Gervase Markham wrote:
> A question which occurred to me, and I thought I'd put before an
> audience of the wise:
>
> * What advantages, if any, do client certs have over number-sequence
&
Steve
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of
> Gervase Markham
> Sent: 25 September 2014 13:29
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject
A question which occurred to me, and I thought I'd put before an
audience of the wise:
* What advantages, if any, do client certs have over number-sequence
widgets such as e.g. the HSBC Secure Key, used with SSL?
http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-ke
29 matches
Mail list logo
