Re: [TLS] HTTPS client-certificate-authentication in browsers

"t.petch" <> Mon, 01 August 2011 20:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A9A1B1F0C3F for <>; Mon, 1 Aug 2011 13:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2fAQuDB6UcYG for <>; Mon, 1 Aug 2011 13:36:36 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B9A3F1F0C3E for <>; Mon, 1 Aug 2011 13:36:35 -0700 (PDT)
Received: from (HELO pc6) ([]) by with SMTP id DXN33127; Mon, 01 Aug 2011 21:36:20 +0100 (BST)
Message-ID: <003f01cc5081$d8fa7e40$>
From: "t.petch" <>
To: "Peter Gutmann" <>, <>
References: <>
Date: Mon, 1 Aug 2011 21:30:14 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0301.4E370E43.002C, actions=tag
X-Junkmail-Status: score=10/50,
X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B020A.4E370E55.00BB, ss=1, fgs=0, ip=, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=multiengine
X-Junkmail-IWF: false
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Aug 2011 20:36:36 -0000

---- Original Message -----
From: "Peter Gutmann" <>
To: <>
Cc: <>
Sent: Thursday, July 28, 2011 8:11 AM
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers

> Martin Rex <> writes:
> >Anders Rundgren wrote:
> >> Lots of banks wants to use CCA for their users.
> >
> >That is a non sequitur.
> >
> >Banks (here in Germany) have abandoned tradtional TANs based on the
> >unconditional presumption that client PCs are infested with malware, and
> >most banks in Germany are currently replacing indexed TANs (iTAN) presumably
> >based on the perception that malware on clients (trojans/phishing) has caught
> >up with iTAN procedure complexity.
> >
> >At this point, with the presumption that all client PCs are thoroughly
> >infested with malware, going for a Single Sign-On mechanism would be
> >completely braindead and irresponsible.
> That was my feeling as well.  Moving from TANs (or plain passwords if you're a
> US bank) to client certs is at best pointless and at worst a step backwards in
> security.  Even if you could overcome the monumental usability problems (and
> there's no evidence that we can do this), you end up with a mechanism that's
> even less secure than basic TANs because use of a TAN requires human
> intervention while a MITB (man-in-the-browser) can use your private key to
> sign whatever they want as often as they want without your knowledge.  Client-
> side PKI was designed for an attack model invented by cryptographers to
> justify the use of fun crypto stuff, but it has little (if anything) to do
> with the threats that we're actually facing today.

Coincidentally, one of the five big UK banks has today, 1st August, announced
HSBC Secure Key, a hand held card device that turns your PIN into a one-time six
digit passcode.  No technical details, but the advertisement claims that is is
an improvement on the German WWII devices (and half the advertisement is
encrypted - HX01896a1 54f30cd38 ...).  Another of the banks, Barclays, has had
PINsentry for a while, which takes your PIN and your debit card to generate a 8
digit passcode.

I have yet to use either but have seen technology similar to the former used
extensively in an Enterprise setting, for use by travelling salesmen in hotels

Tom Petch

> Peter.
> _______________________________________________
> TLS mailing list