Re: [pkix] X.509 client certificates on Web - Deprecated by Google

Yoav Nir <ynir.ietf@gmail.com> Thu, 03 September 2015 08:36 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B1D1B3F71 for <pkix@ietfa.amsl.com>; Thu, 3 Sep 2015 01:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLA4Py1rZERw for <pkix@ietfa.amsl.com>; Thu, 3 Sep 2015 01:35:59 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D292D1B335E for <pkix@ietf.org>; Thu, 3 Sep 2015 01:35:58 -0700 (PDT)
Received: by wibz8 with SMTP id z8so90473967wib.1 for <pkix@ietf.org>; Thu, 03 Sep 2015 01:35:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=o2+MvZD8jlTpXmdrphMOGw/djP0BVUyHPLwFRw68jwI=; b=hLHQtNsZcqYWE2SDCXL6GItE9bAoWh5+RgKFrJcF+DjYupWkSrkLS5GX06JrM+c/ct jfNAeAA8IRxYSuRneJrXpx5dlS4o03Tm+c6Qp3xnp+tiq228DL+vnT5QxC2ngDuE2g25 QzW6dfutwFQ08UFjvNxUGF4OWaLxnFyVAKeqOGALEHeHkT9Pxts+9ljmQYYAL1xFheUp YyL8BynRFbw7BoN/fTsMktvDEEDAPv/HF43cg9BbfLyaZak2gF4qmlL/Eh9z4X9eZ612 Pob+Q9OqpWx4CzeGSzIj7N8BlRaX7nRGkrBfP+w0FSsVk3IIfWSuKVzhQzqjFroffOyi NeXw==
X-Received: by 10.180.108.35 with SMTP id hh3mr11651152wib.48.1441269357431; Thu, 03 Sep 2015 01:35:57 -0700 (PDT)
Received: from [172.24.250.167] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id 4sm36523963wjt.46.2015.09.03.01.35.56 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 03 Sep 2015 01:35:56 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <55E7CF30.9000006@gmail.com>
Date: Thu, 3 Sep 2015 11:35:54 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <867FF7DA-C849-4535-A28A-14D475656A65@gmail.com>
References: <55E7CF30.9000006@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/4KmPTtwtIPfO13Q0t4CfsgLOQHQ>
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] X.509 client certificates on Web - Deprecated by Google
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2015 08:36:01 -0000

Hi, Anders.

I think at least the title of this message is misleading. Google is not deprecating client certificates. They’re deprecating the keygen attribute in forms (which could be used in enrollment, but there are other ways).

These are very different things.

Yoav

> On Sep 3, 2015, at 7:40 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/pX5NbX0Xack/discussion
> 
> "While a use case exists for provisioning TLS client certificates for authentication, such a use case is inherently user-hostile for usability, and represents an authentication scheme that does not work well for the web. An alternative means for addressing this use case is to employ the work of the FIDO Alliance [12], which has strong positive signals from Microsoft and Google (both in the WG), is already supported via extensions in Chrome [13], with Mozilla evaluating support via similar means [14]. This offers a more meaningful way to offer strong, non-phishable authentication, in a manner that is more privacy preserving, offers a better user experience, better standards support, and more robust security capabilities"
> 
> W3C.org spokesmen are now speaking the same language:
> https://lists.w3.org/Archives/Public/www-tag/2015Sep/0011.html
> 
> "There have been several high-profile attacks on client certificates (see
> for example "Triple Hand-shake" [1]) that make client certificates a not
> suitable for authentication systems. X.509 is also problematic to parse,
> leading to security issues [2]. While FIDO is not perfect (the privacy
> community needs to look at the channel ID work too), its definitely best of
> breed right now and I think will solve your use-case over the course of the
> next year"
> 
> -- Anders
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix