On 3/4/21 9:33 AM, Nico Williams wrote:
Your online requirements cherry picks that the online requirements will
neatly line up in times of need and ignores other online requirements.
Authentication is one small part of a larger system. That larger system
almost always needs to be online 24/7. X.509 is a relic from the past.
I've explained about online requirements on every transaction vs. once
in a while. It's not cherry-picking. It's trade-offs. I've tried
explaining, and you can disagree with good technical arguments about
cases where there's better trade-offs or whatever, but instead you've
just been unnecessarily rude. Have a nice day.
This entire subthread started from the observation that just putting a
ssh public key in an employee directory would be a lot simpler than
issuing certificates since it doesn't change anything on the client at
all. You said that doing something -- installing certificates -- is
easier than doing nothing at all. It's hard to take that sort of
statement seriously because it's flat out wrong and contradictory.
But with respect to state and being able to do things offline, if your
employee directory is down in you average company you have a 5 alarm
fire that needs to be put out just as much as if your website went down.
The need for offline verification is niche these days. Since that's the
only advantage that X.509 brings, that tells me that there is a lot of
tail wagging dogs going on. As it ever were.
Thankfully beyond the vast confusion factor that x.509 brings it mostly
doesn't matter these days. Nobody uses client side certs because they
don't scale. Manifestly.
Mike