Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... last request
From: "Deus, Attonbitus" <Thor () HammerofGod Com>
Date: Thu, 2 Nov 2000 07:13:47 -0800
----- Original Message ----- From: "Frank Knobbe" Sent: Wednesday, November 01, 2000 7:59 PM
The client won't loose it without noticing (even if he does, the token is protected by a PIN), the client won't make inadvertent copies of it (You know, the backup of the public/private certificate keypair on ZIP drive/CD-Rom/Tape that every forgets about), the client won't need to reinstall it when his OS crashes and he has to reinstall, etc.
This may sound like a simple differentiation, but there is a very important element to certificates that I think most overlook: The only way to export a certificate so that it can be imported and installed on another system as a personal certificate (one that verifies personal identity) is to export it as a PKCS #12 (Not #7) personal information exchange file. To create a PKCS #12 file, the private key MUST be labeled as exportable, and must subsequently be exported along with the file. The issuing CA's policy can simply be set up to disallow the export of the certificate's private key (Which I think is by default on CertServ2000). If this is done, the certificate can only be exported as a PKCS #7 or X.509 (DER or base64 encoded) file. PKCS #7 files cannot be imported as PKCS #12 files that would validate personal identity. They can only be imported for use with documents that are signed and sealed with that certificate. This simple policy setting goes a long way in ensuring that the certificate stays put. Now, handing your computer over to someone else is a different story. But that is why I never singularly base authentication on the existence of a certificate. I would still make users supply a username and password to access the site in addition to the cert requirement. --------------------------------------------------------- Attonbitus Deus thor () hammerofgod com
Current thread:
- [PEN-TEST] Your opinions ... last request Jim Miller (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Gary Flynn (Nov 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... last request Eric Lauzon (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Frank Knobbe (Nov 03)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 03)