Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions are solicited ...
From: "L.W." <eldub () POBOX COM>
Date: Mon, 30 Oct 2000 18:55:14 -0800
Comments throughout... -> Jim Miller said: -> Access will be controlled by installing a certificate on each -> remote client. The installation is done via download from the -> Certificate Server, but is a manual process: the remote will -> request the certificate and the server will download only after -> a process is started by support. How will the user identify themself to retrieve the certificate? Will the PKCS#10 request be autoapproved? What CSP will be invoked to generate the keys? You are looking at a good deal of user overhead here. -> The IT staff is unsure where the certificate resides on the -> client. They suppose it to be both file based and in the -> Registry. They have tried the "certificate export" process in -> IE and found that it will not export, so they are satisfied that -> it provides the level of security required to secure a cash mgt -> application. They note that the HTML page presented to IE -> without the certificate is an error page. There is no way to -> get at the certiciate on the Net site. This is completely dependant on OS and browser type. Also, any client-side stored certificates can be accidently erased. How do you plan to deal with the CRL issue? What will your certificate re-issuance process be? -> I have recommended using VPN, now readily available in Win2000, -> but have been rejected. "A support nightmare." was the reason given. You are alreay facing a support nightmare. The certificate issuance and management problem is going to be huge if you plan for this to scale to any significant numbers. How is the end user going to keep certificates straight in a multi-certificate environment? -> What do you think of the security schema planned? -> What schema would you use? -> What do you think of the reason given for not using VPN? 1. Relies on the user doing the right thing, which is a bad assumption. 2. It is unclear if your certificate issuance process is secure. 3. It is unclear if your administration process is secure. 4. It is unlikely this process (as described) will scale due to certificate management and help desk overhead. 5. The private key may be exposed depending on the OS and browser used. -LW eldub () pobox com
Current thread:
- [PEN-TEST] Your opinions are solicited ... Jim Miller (Oct 31)
- Re: [PEN-TEST] Your opinions are solicited ... Thomas Reinke (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... krisk (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions are solicited ... St. Clair, James (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Frank Knobbe (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Deus, Attonbitus (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... L.W. (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Paul Robinson (Nov 01)
- Re: [PEN-TEST] Your opinions are solicited ... Shawn Davenport (Nov 01)
- [PEN-TEST] "Get out of Jail Free" Gary Warner (Nov 01)