Re: [TLS] HTTPS client-certificate-authentication in browsers

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 28 July 2011 15:12 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA0921F8CAF for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 08:12:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.619
X-Spam-Level:
X-Spam-Status: No, score=-3.619 tagged_above=-999 required=5 tests=[AWL=-0.020, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYeWbNU92z5E for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 08:12:54 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id 1102421F8C0B for <tls@ietf.org>; Thu, 28 Jul 2011 08:12:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1311865974; x=1343401974; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20anders.rundgren@telia.com,=20pgut001@cs.auckland.a c.nz|Subject:=20Re:=20[TLS]=20HTTPS=20client-certificate- authentication=20in=20browsers|Cc:=20stefan.winter@resten a.lu,=20tls@ietf.org|In-Reply-To:=20<4E317986.3040209@tel ia.com>|Message-Id:=20<E1QmSGa-0007gq-V7@login01.fos.auck land.ac.nz>|Date:=20Fri,=2029=20Jul=202011=2003:12:52=20+ 1200; bh=a61StRAPyNK+1UCYVfxM2fWvG4YTlgrmFK9xC6ekaCM=; b=Pdt2aAIJBcAhUaY9yyoAPpSnI39kjKt3nNJc4hEwtINx4fNujAMj8d9l jQox0/D8hRm2NA3kZzFwwfxoeJj+bxQD4c64rvQR+nkLr48w5aXoeUXyU EORfk2xMOmNm/Y1DwNABgZBkY2+AU4bHDKJ4noULx5OdDH1vzgBlE8GSw g=;
X-IronPort-AV: E=Sophos;i="4.67,282,1309694400"; d="scan'208";a="74607909"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Jul 2011 03:12:53 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QmSGb-0006My-G9; Fri, 29 Jul 2011 03:12:53 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QmSGa-0007gq-V7; Fri, 29 Jul 2011 03:12:52 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: anders.rundgren@telia.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <4E317986.3040209@telia.com>
Message-Id: <E1QmSGa-0007gq-V7@login01.fos.auckland.ac.nz>
Date: Fri, 29 Jul 2011 03:12:52 +1200
Cc: stefan.winter@restena.lu, tls@ietf.org
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 15:12:55 -0000

Anders Rundgren <anders.rundgren@telia.com>; writes:

>It may be nice from a security point of view but it is horribly inconvenient.
>I don't believe for a second that "this is where we are going".

It's standard for banks in (at least) NZ, SA, and possibly Australia.  From
talking to banking people involved with it, there haven't been any serious
problems.

(I've used mTANs before as a case study of "security works in practice but not
in theory", because when you tell security people about it they come up with
long lists of reasons why it'll never work, and then when you deploy it it
works just fine).

Peter.