Re: [TLS] HTTPS client-certificate-authentication in browsers

Peter Gutmann <> Wed, 27 July 2011 03:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F37721F84A1 for <>; Tue, 26 Jul 2011 20:51:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.622
X-Spam-Status: No, score=-3.622 tagged_above=-999 required=5 tests=[AWL=-0.023, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0euxzXB08Crq for <>; Tue, 26 Jul 2011 20:51:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7B78721F849F for <>; Tue, 26 Jul 2011 20:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1311738695; x=1343274695; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<> ||Subject:=20Re:=20[TLS]=20HTTPS=20clie nt-certificate-authentication=20in=20browsers |In-Reply-To:=20<> |Message-Id:=20< .nz>|Date:=20Wed,=2027=20Jul=202011=2015:51:20=20+1200; bh=9VRW2igjliYnyQ3ui65jvJKqqdnZ2gTuuzgkbC+ZnpE=; b=EuXky1YX2N5/EvnQ4JYrqHJjZaJbLe3MFjYRFqib8u3yg7qsbUYhpgK+ AX9ACgxXzHb0R5hFMQKvbrnm6htjaBEizg3BG3T2uiyvDjnDNZJ2XJyoR GjfJOFyuHpg1KUBO6rfTdGcTWQD4P4eY5roQjeEHaEX5JHBhj7hrnpw4j s=;
X-IronPort-AV: E=Sophos;i="4.67,273,1309694400"; d="scan'208";a="74323957"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 27 Jul 2011 15:51:21 +1200
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <>) id 1Qlv9U-0006uP-Iy for; Wed, 27 Jul 2011 15:51:20 +1200
Received: from pgut001 by with local (Exim 4.69) (envelope-from <>) id 1Qlv9U-0005Gx-RA for; Wed, 27 Jul 2011 15:51:20 +1200
From: Peter Gutmann <>
In-Reply-To: <>
Message-Id: <>
Date: Wed, 27 Jul 2011 15:51:20 +1200
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 03:51:35 -0000

Daniel Kahn Gillmor <> writes:

>Am i missing something that makes this approach difficult or wrong?

See the reference to the study I posted earlier (one of numerous studies with
similar results) that found that people with PhDs in computer science took
over two hours just to configure a cert for use on their machine, and rated it
as the hardest computer task they'd ever been asked to perform.

You've looked at the trivial part and completely missed the real problem,
which is:

  When the user visits that URL with an acceptable client-side certificate

You're not starting with "a user visiting a URL with an acceptable client-side
certificate", you're starting with "Joe Sixpack sitting in front of a PC (that
has no certificates)".  Your challenge is to design, implement, and
demonstrate successful use of, a mechanism to get from "Joe Sixpack in front
of his computer" to "a user visiting a URL with an acceptable client-side

All the evidence we have so far for this, from real-world evaluations, is that
it can't be done except in carefully-controlled environments, at enormous cost
and effort.