Re: [TLS] HTTPS client-certificate-authentication in browsers

Peter Gutmann <> Tue, 02 August 2011 04:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 41A4E21F8C90 for <>; Mon, 1 Aug 2011 21:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.594
X-Spam-Status: No, score=-3.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Uur3tF9BBXuE for <>; Mon, 1 Aug 2011 21:58:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3025921F8D78 for <>; Mon, 1 Aug 2011 21:58:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1312261104; x=1343797104; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<> |,,=20pgut001@cs.|Subject:=20Re:=20[TLS]=20HTTPS=20client-ce rtificate-authentication=20in=20browsers|Cc:=20tls@ietf.o rg|In-Reply-To:=20<003f01cc5081$d8fa7e40$4001a8c0@gateway>|Message-Id:=20<E1Qo73V-0000Gv-1I@login01.fos.>|Date:=20Tue,=2002=20Aug=202011=2016:58:13 =20+1200; bh=Te8ypRUYCsqqjMzDxlNJHQdDcjoIDC4VaY5NJZuF2XY=; b=dCXd79MqHuDRXmp0njGNyR3kR/UJZjQULKHtrX6sJ/XmFcjjReUYPeTU 5p0D2VPZ5TultLqqXl/suV75NIK93joFZUtZjmwg0tUFIxPpa0jPEdtps ugIntKIBx2PQdy8hl4Q5VHNbF8udv/4ZNN4kEhE3VhTIAKz97SQyNKvdc g=;
X-IronPort-AV: E=Sophos;i="4.67,305,1309694400"; d="scan'208";a="75470304"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 02 Aug 2011 16:58:13 +1200
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <>) id 1Qo73V-0007aC-GN; Tue, 02 Aug 2011 16:58:13 +1200
Received: from pgut001 by with local (Exim 4.69) (envelope-from <>) id 1Qo73V-0000Gv-1I; Tue, 02 Aug 2011 16:58:13 +1200
From: Peter Gutmann <>
In-Reply-To: <003f01cc5081$d8fa7e40$>
Message-Id: <>
Date: Tue, 02 Aug 2011 16:58:13 +1200
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2011 04:58:17 -0000

"t.petch" <> writes:

>Coincidentally, one of the five big UK banks has today, 1st August, announced
>HSBC Secure Key, a hand held card device that turns your PIN into a one-time
>six digit passcode.  No technical details,

It's just a SecurID variant, so no better than the static TANs that the German
banks are abandoning.

>Another of the banks, Barclays, has had PINsentry for a while, which takes
>your PIN and your debit card to generate a 8 digit passcode.

The Barclays device is a Gemalto CAP reader rebranded.  I don't know how
Barclays are using it (<cynic>given the security record of UK banks it'll be
"incorrectly"</cynic>), but if used correctly it's actually phishing-
resistant, you enter the transaction details and it generates a crypto MAC
from them which prevents a MITB attack.

Of course as certain folks from Cambridge have pointed out, you then have to
implement the underlying protocols correctly in order for the whole thing to
be secure, but it's good enough to stop phishers/MITB.