[Owasp-ireland] [SPAM] client-side ssl certs?

Alexis FitzGerald alexis at rits.ie
Thu Aug 11 12:45:30 EDT 2011


Hi John,

Client-side SSL certs could turn out to be a bit of a nightmare.
Especially if, as you say, your user base are using a variety of
technologies.
What about doing something with mobile phones/SMS?

You are worried about credentials getting passed around. Preventing the
same user from being logged on twice from two different locations might
be a partial solution.
Training, including dire warnings about sharing credentials might help.

But as we say "it depends" on context/value of data etc....

Alexis

blog.alexisfitzg.com

On 11/08/2011 18:04, John Marmelstein wrote:
>   Hi Folks,
>   How is everyone? It’s been a bit quiet!
>
>   Anyway, might anyone have thoughts or experience on client-side ssl certs?
>
>   I am making a web app. I need some form of user authentication. I’m
>   thinking I need to go a bit better than just having username/password
>   for access control. What options are out there? It's for a
>   public-sector thing. My hesitation with username/password access
>   control is that the credentials might just get passed around.
>
>   I guess that client-side certs are the answer. But, there will be
>   about 2000 users. These are low-tech users, distributed  around
>   Ireland. On their personal (ie not standardized) browsers/operating
>   systems. So I can’t call around to them all doing the certificate
>   installs. I’m not optimistic about asking this user population to do
>   it themselves.
>
>   Any opinions ?
>   Maybe it boils down to saying that I either have to
>   use username/password
>   or, accept the large effort of generating, installing and managing the certs?
>   Is there a good way to generate, install and manage certs?
>
>   Thanks!
>   JM
>
>




More information about the Owasp-ireland mailing list