[pkix] More on the deprecation of X.509 client certificates on the Web

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 16 September 2015 07:18 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2A91B3814 for <pkix@ietfa.amsl.com>; Wed, 16 Sep 2015 00:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QQeD_WmyQGy for <pkix@ietfa.amsl.com>; Wed, 16 Sep 2015 00:18:32 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C7311B3813 for <pkix@ietf.org>; Wed, 16 Sep 2015 00:18:31 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so59046862wic.1 for <pkix@ietf.org>; Wed, 16 Sep 2015 00:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=hbYcGAQjqVut8X8GgoXIYr5AvYSOo+F4lBhIgantlI4=; b=mWXNwua0YrTIvYRxuw3z5SbR8NOrW3hEK+Ll7sK6fCS+dUFQAgZNSqXjuIv2GF8IlG ydCy6KgLDUgBjhTiQn+ky0SeL7QZulq/lgLikA7RNL17Knr+BHUOsEOlpagaLVEFbLAA DDmF6ZxeFtLHOk5LE5pGY92ftlg/jDMB1EcmwFwn/mT+YVheF4y71BAExQu194uB+Dmd rqDesZC4cwLo9YrSJ5FOWcqwTh2DFatE25ju3Y8GrBUNEnemYF57c/140PunSZIOyrv8 2WTa2P+hugGrnX8IJHEooItRVeXMO6y5q41s8n5lyLUtHlu2rLkL8GorDXgIaw1RnQt+ yu3A==
X-Received: by 10.180.182.107 with SMTP id ed11mr15830805wic.52.1442387910268; Wed, 16 Sep 2015 00:18:30 -0700 (PDT)
Received: from [192.168.1.79] (240.196.130.77.rev.sfr.net. [77.130.196.240]) by smtp.googlemail.com with ESMTPSA id fs2sm2867117wib.12.2015.09.16.00.18.29 for <pkix@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Sep 2015 00:18:29 -0700 (PDT)
To: "pkix@ietf.org" <pkix@ietf.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <55F917BC.2060600@gmail.com>
Date: Wed, 16 Sep 2015 09:18:20 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/nGPQLoP1wb2rSk1xlhjBxT7QqoQ>
Subject: [pkix] More on the deprecation of X.509 client certificates on the Web
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 07:18:33 -0000

Bard Hill (Facebook security expert):
https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0093.html

"and it puts authentication at a layer (the TLS handshake) where it is fundamentally problematic to the commonplace scalability and performance architecture of anything but hobbyist-level applications"

I agree with this [somewhat exaggerated] statement but taken literally it means that PIV won't (or shouldn't) be used on the Web since HTTPS CCA (Client Certificate Authentication) is the [currently] only solution available.