Re: [PEN-TEST] Your opinions ... more info

["L.W." <eldub () POBOX COM>]

-> Jim Miller said:
->
-> Objective:
-> Is the certificate authentication process adequate for the cash
-> mgt application, or is a VPN recommended?  All other issues are
-> off target.

Jim, a couple of key points. I am assuming this is B2B and best described as
an Extranet.

First, as a general rule, VPNs provide authentication at the network layer
and are thus best classified as "device to device" authentication.  If you
use a VPN, you get a secure pipe (assuming ESP), but must authenticate
separately to the application. Since you are an "IS Auditor", I'm sure it
would be redundant to mention the policy implications of this, but none the
less, I'll stress that control of the customer-located access point is
critical.

Second, SSL provides authentication at the application layer and is best
described as "client to server" authentication.  In order to pull off the
client part, you require SSLv3.  Trusting the client certificate requires
three things.  First, you must unequivocally trust the CA.  Second, you must
ensure the keys are valid (CRL checking).  Finally, you must ensure that the
user possesses the private key.

> From your description, the CA is poorly implemented, and seems to lack a CPS
and/or a CP.  It is not necessarily located in a  place that can assure that
it remains trusted.  There is no mention of CRL checking and this is not
automatic with SSL.  Finally, there seems to be no way to assure that the
end user is the real key owner.

I feel, given the information you have posted to this point, neither of
these are adequate, as neither has been properly planned.  It looks like the
business requirements phase was not properly completed.

I would spend some time resolving these issues before even worrying about
the network part.

-LW
eldub () pobox com