Firewall Wizards mailing list archives

Re: SecureID vs Certificates

From: "Volker Tanger" <volker.tanger () detewe de>
Date: Wed, 14 Feb 2001 09:51:47 +0100

Bill Jaeger schrieb:

Volker Tanger wrote:

On Certificates: you not have to store them on your local computer.
There are a lot of smart cards / safe readers (with keypad to release
the cert with a PIN) on which you can safely store your certificates.
Remove the card, and noone has access to your certificate.

Choose a card/reader system that does not COPY the certificate but that
does ENCRYPTION on the card itself. With this the certificate cannot be
copied. If you ony use the cards as simple certificate storage you have
the risk that maybe some program simply copies your certificate. With a
self-crypting certificate card/reader system you have safe two-component
solution:  the card (with certificate) you have - and the PIN you know.


Not to pick on Volker, but statements like the above really hit a pet peeve
of mine -- the common misconceptions about the security needs of digital
certificates.  Since others have made similar statements as part of this
discussion, I figured I'd chime in...


[...]

It is the PRIVATE KEY associated with the digital certificate that must be
protected, and not the digital certificate itself.


Yes, correct. I always was under the impression that the private key =
certificate (and public key = public key), so only our definitions crossed. So
my statement above reads: if you use a smart card that does not just store the
private key, but only does encryption (after entering the pin on the card
reader), you should be pretty much on the safe side.

Unfortunately quite a number of PKI solutions - with e.g. Checkpoint SecuRemote
among them - insist on importing the private key into their own key store which
often seems to be only poorly protected.  So the "intelligent" card system
cannot be used. I guess that's the main reason why these cards are not used too
widespread.

Bye
    Volker

--

Volker Tanger  <volker.tanger () detewe de>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SecureID vs Certificates, (continued)
- - - Re: SecureID vs Certificates Marcus J. Ranum (Feb 15)
    - Re: SecureID vs Certificates Darren Reed (Feb 16)
    - Re: SecureID vs Certificates beldridg (Feb 16)
    - Re: SecureID vs Certificates Peter Lukas (Feb 16)
    - Re: SecureID vs Certificates George Capehart (Feb 15)
    - Re: SecureID vs Certificates Crist Clark (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 13)
- Re: SecureID vs Certificates Michael H. Warfield (Feb 13)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)
  - RE: SecureID vs Certificates Bill Jaeger (Feb 15)
    - Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 14)
  - Re: SecureID vs Certificates Peter Lukas (Feb 15)
- Re: SecureID vs Certificates Jeffery . Gieser (Feb 13)
- Re: SecureID vs Certificates Gregory Hicks (Feb 13)
- RE: SecureID vs Certificates Ben Nagy (Feb 15)
- RE: SecureID vs Certificates Frank Knobbe (Feb 15)
- RE: SecureID vs Certificates Wigg, Guy G (Feb 15)
- RE: SecureID vs Certificates Nigel Willson (Feb 16)