Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [GOATSE SECURITY] Clench: Goatse's way to say "screw you" to certificate authorities

From: Tim <tim-security () sentinelchicken org>
Date: Wed, 8 Sep 2010 12:30:23 -0700
This is no different then installing a client cert


Yes, exactly. This is as equally secure as installing a client cert.
Except it is achieved without a client cert, using only a password, in
a manner that can be more easily scaled to lots of users.


Um... I think you have it backwards.  Public key crypto scales,
symmetric does not.  How many unique passwords do you use for the
dozens/hundreds of websites you have an account with?  Scalability
with people is what matters.  Current websites and client software do
not make it easy to use one certificate for many sites, but this
strategy scales much better.

The core difference between the two is that the number of unique keys
needed to carry on private converstations in a group of entities grows
O(n^2) with symmetric keys and O(n) with public keys.  I'm sure you
realize this though.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: