Leichter, Jerry wrote:
While trying to find something else, I came across the following
reference:
Title: Sender driven certification enrollment system
Document Type and Number: United States Patent 6651166
Link to this page: http://www.freepatentsonline.com/6651166.html
Abstract:
A sender driven certificate enrollment system and methods of its
use are provided, in which a sender controls the generation of a
digital certificate that is used to encrypt and send a document
to a recipient in a secure manner. The sender compares
previously stored recipient information to gathered information
from the recipient. If the information matches, the sender
transfers key generation software to the recipient, which
produces the digital certificate, comprising a public and
private key pair. The sender can then use the public key to
encrypt and send the document to the recipient, wherein the
recipient can use the matching private key to decrypt the
document.
Some feedback on the above security certificate issuance process.
At first, it seems neat. But then, looking at how it works in practice:
the client receives an e-mail notification soliciting him to click on a
HTML link and then enroll for a security certificate,
the client is solicited exactly like a phishing criminal would do, and
a java software utility downloaded from the web should not be allowed to
modify security-critical parameters on the local machine.
According to my records, this issuance process is nonetheless
representative of research directions for user enrollment, i.e. there
aren't too many other documented processes in this area.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
