Re: [TLS] HTTPS client-certificate-authentication in browsers

Peter Gutmann <> Wed, 27 July 2011 05:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B18335E801D for <>; Tue, 26 Jul 2011 22:34:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.621
X-Spam-Status: No, score=-3.621 tagged_above=-999 required=5 tests=[AWL=-0.022, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l1RPhIUr3Iy5 for <>; Tue, 26 Jul 2011 22:34:22 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BC96221F8B99 for <>; Tue, 26 Jul 2011 22:34:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1311744862; x=1343280862; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<> |, z|Subject:=20Re:=20[TLS]=20HTTPS=20client-certificate-aut hentication=20in=20browsers| |In-Reply-To:=20<1311740206.7071.87.camel@localhost> |Message-Id:=20< .nz>|Date:=20Wed,=2027=20Jul=202011=2017:34:11=20+1200; bh=3EsHSgHsP2YxBbhCzkwGjg6kKPRGgVzE/3IsAXOqu0E=; b=K32TJbITGd3sFyZFuc/KawTpLnA8ej9DNwLbP7LrWyB47ullzUqk2gfS iD+pX8FAr9zS6gqGhcP3jg25f5NlfhvnKAOE9SElZrCcQXiEIaRhHU+Dj NkTyrmJUzDYVC5ao6plJETUQ8ixHZ/zTrxvWS6jftPj1OYCJjN1iFAjxf c=;
X-IronPort-AV: E=Sophos;i="4.67,274,1309694400"; d="scan'208";a="74355184"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 27 Jul 2011 17:34:11 +1200
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <>) id 1Qlwl1-0003FA-HR; Wed, 27 Jul 2011 17:34:11 +1200
Received: from pgut001 by with local (Exim 4.69) (envelope-from <>) id 1Qlwl1-0003tZ-Bf; Wed, 27 Jul 2011 17:34:11 +1200
From: Peter Gutmann <>
In-Reply-To: <1311740206.7071.87.camel@localhost>
Message-Id: <>
Date: Wed, 27 Jul 2011 17:34:11 +1200
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 05:34:22 -0000

Matt McCutchen <> writes:

>Your reference to people with PhDs in computer science is misleading: a PhD
>is a highly specialized degree that does not necessarily imply broad computing

"OK, so you have a PhD. Just don't touch anything" :-).  That was just the
first study, and I mentioned the PhD thing to avoid the "it was carried out on
students, they're not representative" criticism.  Other studies were carried
out on IT students (which I'd say is actually a good sample of very tech-savvy
users, so they'd be non-representative in being too good a fit rather than too
bad a fit), and possibly on random samples of people (I'd have to trawl
through the refs again to see who all the subjects were).  From memory I don't
think any were done on the Joe-Sixpack demographic, probably because the
outcome would be a foregone conclusion ("Failure to enrol: 100%").