Firewall Wizards mailing list archives

RE: SecureID vs Certificates

From: "Bill Jaeger" <wlj () interNook net>
Date: Wed, 14 Feb 2001 03:27:36 -0500

Volker Tanger wrote:

On Certificates: you not have to store them on your local computer.
There are a lot of smart cards / safe readers (with keypad to release
the cert with a PIN) on which you can safely store your certificates.
Remove the card, and noone has access to your certificate.

Choose a card/reader system that does not COPY the certificate but that
does ENCRYPTION on the card itself. With this the certificate cannot be
copied. If you ony use the cards as simple certificate storage you have
the risk that maybe some program simply copies your certificate. With a
self-crypting certificate card/reader system you have safe two-component
solution:  the card (with certificate) you have - and the PIN you know.



Not to pick on Volker, but statements like the above really hit a pet peeve
of mine -- the common misconceptions about the security needs of digital
certificates.  Since others have made similar statements as part of this
discussion, I figured I'd chime in...


FACT:  Certificates CAN and SHOULD be widely distributed.
FACT:  "Theft" of a certificate DOES NOT compromise security.

It is the PRIVATE KEY associated with the digital certificate that must be
protected, and not the digital certificate itself.


Digital certificates provide the means for users or systems to:

1) ESTABLISH your identity by verifying that you hold the private key
related to the public key contained within the digital certificate.

2) TRUST your identity -- assuming that you've proved it above -- if they
also trust the Certificate Authority (CA) that issued your certificate.

3) ENCRYPT data explicitly for you using the public key contained within
your digital certificate.  This data can only be decrypted with the private
key associated with your digital certificate.

4) VERIFY digital signatures created with your private key using the
associated public key contained within the digital certificate.

Compromise of a user's PRIVATE KEY will undermine the four elements listed
above.


To authenticate a user, the user must prove that they hold the private key
associated with the public key contained within the digital certificate.
Simply presenting a digital certificate is not sufficient for authenticating
a user, and is akin to logging in to a system by only providing a user id
and no password.


Unfortunately, vendor hype about digital certificates does not help to clear
up misconceptions surrounding the use of the technology.

Hope this helps,
-Bill

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SecureID vs Certificates, (continued)
- - - Re: SecureID vs Certificates George Capehart (Feb 15)
    - Re: SecureID vs Certificates Marcus J. Ranum (Feb 15)
    - Re: SecureID vs Certificates Darren Reed (Feb 16)
    - Re: SecureID vs Certificates beldridg (Feb 16)
    - Re: SecureID vs Certificates Peter Lukas (Feb 16)
    - Re: SecureID vs Certificates George Capehart (Feb 15)
    - Re: SecureID vs Certificates Crist Clark (Feb 15)
- Re: SecureID vs Certificates Darren Reed (Feb 13)
- Re: SecureID vs Certificates Michael H. Warfield (Feb 13)
- Re: SecureID vs Certificates Volker Tanger (Feb 13)
  - RE: SecureID vs Certificates Bill Jaeger (Feb 15)
    - Re: SecureID vs Certificates Volker Tanger (Feb 15)
- Re: SecureID vs Certificates Marcus J. Ranum (Feb 14)
  - Re: SecureID vs Certificates Peter Lukas (Feb 15)
- Re: SecureID vs Certificates Jeffery . Gieser (Feb 13)
- Re: SecureID vs Certificates Gregory Hicks (Feb 13)
- RE: SecureID vs Certificates Ben Nagy (Feb 15)
- RE: SecureID vs Certificates Frank Knobbe (Feb 15)
- RE: SecureID vs Certificates Wigg, Guy G (Feb 15)
- RE: SecureID vs Certificates Nigel Willson (Feb 16)