[SSL Observatory] offtopic: sites with client certificate authentication

Erwann Abalea eabalea at gmail.com
Tue Aug 16 06:18:40 PDT 2011 

2011/8/16 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
> Erwann Abalea <eabalea at gmail.com> writes:
>
>>Starting in 2001, up to 2008, in France, we had to authenticate using a
>>certificate in order to electronically declare our income tax (it was also
>>digitally signed by this certificate). It has changed to login/password
>>since.
>
> Is there any more information available on this, e.g. discussion of user
> reactions, and why it was abandoned, case-study style material?  The tax
> department tried the same thing over here years ago, but the reaction from
> users was so profoundly negative that it was never moved out of the pilot
> stage.

We (Keynectis, the PKI operator) still produce certificates (and
CRLs). The use of a certificate is no more mandatory, but still
available.

I don't think the user reaction was that negative. Uninformed, for
sure. The problems are more technical, and not balanced by a real
benefit.

The certificates are valid for 3 years, and are really used once a
year, for the declaration (they can be used to look at one's tax file,
but you don't do that everyday). So their use (enroll, use, revoke) is
concentrated in a few days lapse.
Usually the user forgot his password, or reinstalled his PC (because
of some malware infection, or disk crash), or changed his PC, so he
needs to revoke his old certificate in order to get a new one that
will be used for a few minutes. Some users even enroll for a
certificate, declare their tax, and revoke it just after, "to be sure
nobody will steal the certificate and declare something else".
All in all, the proportion of revoked certificates is more than 90%.
That's insane.
Even dispatched on 4 different CAs to distribute the load, that leaded
to 90MB CRLs (we have now 30-40MB CRLs), for 35 bytes CRL entries (no
CRLEntry extension).

So the main problems were:
 - huge CRLs that need to be parsed everyday (with OpenSSL, or Java,
you have a nearly tenfold memory footprint) to update a centralized
database
 - have a support center to answer to basic questions ("I lost my
password, what can I do?" - "read the FAQ, then click here to revoke
your certificate, then here to get a new one - you're welcome")

The real benefit comes from electronic declaration, not from
certificate authentication. Even when the declaration was digitally
signed, the proof of signature had to be opposed to the tax
department, the same one that defines the rules. Useless.

-- 
Erwann.

More information about the Observatory mailing list