Re: [PEN-TEST] Your opinions ... last request

["Deus, Attonbitus" <Thor () HammerofGod Com>]

----- Original Message -----
From: "Frank Knobbe"
Sent: Wednesday, November 01, 2000 7:59 PM

> The client won't loose it without noticing (even if he does,
> the token is protected by a PIN), the client won't make inadvertent
> copies of it (You know, the backup of the public/private certificate
> keypair on ZIP drive/CD-Rom/Tape that every forgets about), the
> client won't need to reinstall it when his OS crashes and he has to
> reinstall, etc.

This may sound like a simple differentiation, but there is a very important
element to certificates that I think most overlook:

The only way to export a certificate so that it can be imported and
installed on another system as a personal certificate (one that verifies
personal identity) is to export it as a PKCS #12 (Not #7) personal
information exchange file.  To create a PKCS #12 file, the private key MUST
be labeled as exportable, and must subsequently be exported along with the
file.  The issuing CA's policy can simply be set up to disallow the export
of the certificate's private key (Which I think is by default on
CertServ2000).  If this is done, the certificate can only be exported as a
PKCS #7 or X.509 (DER or base64 encoded) file.  PKCS #7 files cannot be
imported as PKCS #12 files that would validate personal identity.  They can
only be imported for use with documents that are signed and sealed with that
certificate.

This simple policy setting goes a long way in ensuring that the certificate
stays put.

Now, handing your computer over to someone else is a different story.  But
that is why I never singularly base authentication on the existence of a
certificate.  I would still make users supply a username and password to
access the site in addition to the cert requirement.

---------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com