Firewall Wizards mailing list archives
RE: SecureID vs Certificates
From: "Bill Jaeger" <wlj () interNook net>
Date: Wed, 14 Feb 2001 03:27:36 -0500
Volker Tanger wrote:
On Certificates: you not have to store them on your local computer. There are a lot of smart cards / safe readers (with keypad to release the cert with a PIN) on which you can safely store your certificates. Remove the card, and noone has access to your certificate. Choose a card/reader system that does not COPY the certificate but that does ENCRYPTION on the card itself. With this the certificate cannot be copied. If you ony use the cards as simple certificate storage you have the risk that maybe some program simply copies your certificate. With a self-crypting certificate card/reader system you have safe two-component solution: the card (with certificate) you have - and the PIN you know.
Not to pick on Volker, but statements like the above really hit a pet peeve of mine -- the common misconceptions about the security needs of digital certificates. Since others have made similar statements as part of this discussion, I figured I'd chime in... FACT: Certificates CAN and SHOULD be widely distributed. FACT: "Theft" of a certificate DOES NOT compromise security. It is the PRIVATE KEY associated with the digital certificate that must be protected, and not the digital certificate itself. Digital certificates provide the means for users or systems to: 1) ESTABLISH your identity by verifying that you hold the private key related to the public key contained within the digital certificate. 2) TRUST your identity -- assuming that you've proved it above -- if they also trust the Certificate Authority (CA) that issued your certificate. 3) ENCRYPT data explicitly for you using the public key contained within your digital certificate. This data can only be decrypted with the private key associated with your digital certificate. 4) VERIFY digital signatures created with your private key using the associated public key contained within the digital certificate. Compromise of a user's PRIVATE KEY will undermine the four elements listed above. To authenticate a user, the user must prove that they hold the private key associated with the public key contained within the digital certificate. Simply presenting a digital certificate is not sufficient for authenticating a user, and is akin to logging in to a system by only providing a user id and no password. Unfortunately, vendor hype about digital certificates does not help to clear up misconceptions surrounding the use of the technology. Hope this helps, -Bill _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SecureID vs Certificates, (continued)
- Re: SecureID vs Certificates George Capehart (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 16)
- Re: SecureID vs Certificates beldridg (Feb 16)
- Re: SecureID vs Certificates Peter Lukas (Feb 16)
- Re: SecureID vs Certificates George Capehart (Feb 15)
- Re: SecureID vs Certificates Crist Clark (Feb 15)
- RE: SecureID vs Certificates Bill Jaeger (Feb 15)
- Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Peter Lukas (Feb 15)