Re: [TLS] HTTPS client-certificate-authentication in browsers

Henry Story <henry.story@bblfish.net> Thu, 28 July 2011 15:07 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A49F221F8B85 for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 08:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.481
X-Spam-Level:
X-Spam-Status: No, score=-2.481 tagged_above=-999 required=5 tests=[AWL=1.118, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wiy+0HlLNnm5 for <tls@ietfa.amsl.com>; Thu, 28 Jul 2011 08:07:13 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id ACCFA21F8B94 for <tls@ietf.org>; Thu, 28 Jul 2011 08:07:12 -0700 (PDT)
Received: by wwe5 with SMTP id 5so1722684wwe.13 for <tls@ietf.org>; Thu, 28 Jul 2011 08:07:09 -0700 (PDT)
Received: by 10.227.55.17 with SMTP id s17mr144637wbg.57.1311865629769; Thu, 28 Jul 2011 08:07:09 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-161-132.w81-249.abo.wanadoo.fr [81.249.172.132]) by mx.google.com with ESMTPS id fx12sm924773wbb.25.2011.07.28.08.07.08 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 28 Jul 2011 08:07:09 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset=us-ascii
From: Henry Story <henry.story@bblfish.net>
In-Reply-To: <E1QmRpn-0006TH-5l@login01.fos.auckland.ac.nz>
Date: Thu, 28 Jul 2011 17:07:07 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6EDD6F49-33C4-46D3-9012-765170911A57@bblfish.net>
References: <E1QmRpn-0006TH-5l@login01.fos.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Martin Gaedke <martin.gaedke@informatik.tu-chemnitz.de>
X-Mailer: Apple Mail (2.1244.3)
Cc: Stefan Winter <stefan.winter@restena.lu>, tls@ietf.org
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2011 15:07:13 -0000

Hi Peter,

 You may want to ask Prof. Martin Gaedke about this. He is working his way through the 
EU area on this and should have some good pointers on where these token cards are 
going around here. 

   Henry

On 28 Jul 2011, at 16:45, Peter Gutmann wrote:

> Stefan Winter <stefan.winter@restena.lu>; writes:
> 
>> Banking: These days, TAN lists are going away.
> 
> Is there any information on what's being done in countries like France, Italy,
> the Netherlands, Spain, ...?  The only place where it's really documented (in
> quite some detail) is Germany (with surrounding/similar countries like Austria
> and Switzerland using equivalent approaches), but what are other countries in
> Europe doing?  There's rather little information *from third parties, not the
> vendors* publicly available on how e-banking is done in France, Spain, ...,
> the pros and cons, how it deals with new attack types, and so on.
> 
>> a) cell phone transaction numbers:
> 
> The problem is that mTANs are vulnerable to smartphone malware, as Zeus has
> already shown.  It's currently a minor threat, but who knows how far the bad
> guys will take it.  On the whole though mTANs are a nice tradeoff, you get to
> verify the transaction over an independent channel, and the mTAN is a
> cryptographic hash over the transaction data so if a MITB tries to modify what
> the browser sends it gets detected.
> 
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

Social Web Architect
http://bblfish.net/