On 04/10/2014 03:09 AM, Markus Falb wrote: > > I am assuming that client certificates are handed out to staff. Basically you can't > really control where people install client certificates and which client software is used. > If one is tricked to do a SSL Handshake with a malicious server, the key of the client > certificate is leaked. Reissue of the cert won't help because on the other day there > would be another malicious handshake with another bad server... No, the server never sees a private client certificate, it only ever has access to the public certificate, which by its very nature of being public doesn't really matter if it gets leaked. No vulnerability on the server can expose a private client certificate, only a vulnerability on the client can. Peter