Firewall Wizards mailing list archives
Re: SecureID vs Certificates
From: "Volker Tanger" <volker.tanger () detewe de>
Date: Wed, 14 Feb 2001 09:51:47 +0100
Bill Jaeger schrieb:
Volker Tanger wrote:On Certificates: you not have to store them on your local computer. There are a lot of smart cards / safe readers (with keypad to release the cert with a PIN) on which you can safely store your certificates. Remove the card, and noone has access to your certificate. Choose a card/reader system that does not COPY the certificate but that does ENCRYPTION on the card itself. With this the certificate cannot be copied. If you ony use the cards as simple certificate storage you have the risk that maybe some program simply copies your certificate. With a self-crypting certificate card/reader system you have safe two-component solution: the card (with certificate) you have - and the PIN you know.Not to pick on Volker, but statements like the above really hit a pet peeve of mine -- the common misconceptions about the security needs of digital certificates. Since others have made similar statements as part of this discussion, I figured I'd chime in...
[...]
It is the PRIVATE KEY associated with the digital certificate that must be protected, and not the digital certificate itself.
Yes, correct. I always was under the impression that the private key = certificate (and public key = public key), so only our definitions crossed. So my statement above reads: if you use a smart card that does not just store the private key, but only does encryption (after entering the pin on the card reader), you should be pretty much on the safe side. Unfortunately quite a number of PKI solutions - with e.g. Checkpoint SecuRemote among them - insist on importing the private key into their own key store which often seems to be only poorly protected. So the "intelligent" card system cannot be used. I guess that's the main reason why these cards are not used too widespread. Bye Volker -- Volker Tanger <volker.tanger () detewe de> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SecureID vs Certificates, (continued)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 16)
- Re: SecureID vs Certificates beldridg (Feb 16)
- Re: SecureID vs Certificates Peter Lukas (Feb 16)
- Re: SecureID vs Certificates George Capehart (Feb 15)
- Re: SecureID vs Certificates Crist Clark (Feb 15)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Peter Lukas (Feb 15)