Re: [TLS] HTTPS client-certificate-authentication in browsers

Matt McCutchen <matt@mattmccutchen.net> Wed, 27 July 2011 04:16 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BE9C21F8A30 for <tls@ietfa.amsl.com>; Tue, 26 Jul 2011 21:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bLJv7rdb2cy for <tls@ietfa.amsl.com>; Tue, 26 Jul 2011 21:16:50 -0700 (PDT)
Received: from homiemail-a61.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 2189921F89A1 for <tls@ietf.org>; Tue, 26 Jul 2011 21:16:50 -0700 (PDT)
Received: from homiemail-a61.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTP id E101D57806E; Tue, 26 Jul 2011 21:16:49 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=GeS9nH5W4rGmV/pPYVB2mj/9XeKBk/m8qmxjBJWX3XE EgZdGoc4EN76T00TnpZynBi4jKmXglxuLutOvBdiTeQx+JfQdUlrqIeoO0W0hkLg vaRMsRAppzz1e5IDj9eyDGNLfdHnrxnUjI2TLEQvLyrsOnJ9UR7SXq4QhhrdvxY0 =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=IeKwWMfyJPGgi5JxT9AQUVqsJHo=; b=glaDj9y3qh 7rML7cQxeKuBsEj80Ztd939VpGL/WSTMK/Uk27UFAd41VxfjO5aZs4iQWAWmUM4V hEyFCbL9+h1OaRaxFMkgrC7grJS2F+7rFK9hW+80ACCrpQwm07788ryFXcmowYQs HIAffnT9OoN3o2nhVoR8+YX/+gcdiiOv0=
Received: from [192.168.1.39] (pool-74-96-44-194.washdc.east.verizon.net [74.96.44.194]) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTPSA id 73BAD57806C; Tue, 26 Jul 2011 21:16:49 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-Reply-To: <E1Qlv9U-0005Gx-RA@login01.fos.auckland.ac.nz>
References: <E1Qlv9U-0005Gx-RA@login01.fos.auckland.ac.nz>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 27 Jul 2011 00:16:46 -0400
Message-ID: <1311740206.7071.87.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2011 04:16:51 -0000

On Wed, 2011-07-27 at 15:51 +1200, Peter Gutmann wrote:
> See the reference to the study I posted earlier (one of numerous studies with
> similar results) that found that people with PhDs in computer science took
> over two hours just to configure a cert for use on their machine, and rated it
> as the hardest computer task they'd ever been asked to perform.

Your reference to people with PhDs in computer science is misleading: a
PhD is a highly specialized degree that does not necessarily imply broad
computing ability.  The point that certificate enrollment is a pain
stands.

-- 
Matt