[TLS] HTTPS client-certificate-authentication in browsers

Anders Rundgren <anders.rundgren@telia.com> Mon, 25 July 2011 12:07 UTC

Return-Path: <anders.rundgren@telia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D2E7B21F84D4 for <tls@ietfa.amsl.com>; Mon, 25 Jul 2011 05:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.59
X-Spam-Status: No, score=-3.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ypNcTn2IyI5J for <tls@ietfa.amsl.com>; Mon, 25 Jul 2011 05:07:15 -0700 (PDT)
Received: from smtp-out11.han.skanova.net (smtp-out11.han.skanova.net []) by ietfa.amsl.com (Postfix) with ESMTP id 1691421F84D7 for <tls@ietf.org>; Mon, 25 Jul 2011 05:07:11 -0700 (PDT)
Received: from [] ( by smtp-out11.han.skanova.net (8.5.133) (authenticated as u36408181) id 4D6512CA034AD355 for tls@ietf.org; Mon, 25 Jul 2011 14:07:09 +0200
Message-ID: <4E2D5C63.3000408@telia.com>
Date: Mon, 25 Jul 2011 14:06:59 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: tls@ietf.org
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 12:07:16 -0000

Hi Guys,
I don't really know who "owns" this question but presumably you do...

HTTPS client-certificate-authentication in browsers
I don't believe that TLS CCA (Client Certificate Authentication) in the
form of HTTPS as implemented in current browsers has much of a future.

In fact, quite a bunch of the entities in the EU working with consumer PKI
have replaced HTTPS CCA with an application level scheme which wasn't such
a big deal since they anyway were forced writing a browser PKI client more
or less from scratch since the ones shipped with browsers doesn't support
PKI as defined by banks and government (like mandatory PIN codes also
for on-line enrolled keys).

That the TLS CCA protocol doesn't even support "Logout" haven't made
it a logical choice for web developers either.  Well, there are some
workarounds but they are by no means straightforward, supported
out-of-the-box by server authentication schemes, and are (of course)
entirely undocumented.

The button "Clear SSL state" in MSIE is an indication how horribly bad it
can go when security experts design systems for "people".

There's no way you can hide the fact that TLS CCA is only truly useful
securing tunnels between "boxes".