Re: Secure web site access and PKI Certs

[Scott Schwendinger <swschwen () yahoo com>]

Keenan,

   If the PKI certificate is installed on the local
machine with the "Enable Strong Private Key
Protection..." checked, a password will be required
each time the certificate is used.  This will provide
additional security for Single Sign On to PKI enabled
web sites.


--- Keenan Smith <kc_smith () clark net> wrote:
> All,
>
> I have access to a secure web site.  It used to
> require a PKI Cert to
> identify the user and then a standard
> username/password login to
> authenticate.
>
> Recently a change was made to the site that allows
> the supplying of a
> PKI Subject CN Fragment to a user "profile" on the
> site.  In this case,
> the certificate not only identifies the user but
> authenticates as well.
>
> The end result is an "auto-login" feature that in
> effect, keeps me
> logged in all the time.  Anybody sitting at my
> machine and logged in as
> me (Windows XP) can access the web site as me.
>
> At first glance this seems like it's a reasonable
> way to accomplish a
> secure access to the web site.  Installing the
> certificate as me ties it
> to my profile and makes it unavailable to other
> users on my machine and
> since the use of the certificate requires a user to
> login as me, it
> moves the authentication piece from the web site to
> the Windows domain.
>
> This seems to some extent like "security through
> obscurity" and also
> substituting convenience for security, an
> all-to-common problem.
>
> Since it's my security-cleared neck on the line, I'd
> rather be too
> concerned rather than not concerned enough.
>
> So I'm asking the collective wisdom of the list to
> consider.  Is PKI's
> single sign-on capability reasonable?  Is this
> implementation adequate?
> Thoughts?  Opinions?  Critiques?
>
> Thanks
> Keenan Smith

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com