Hello Arshad,
Thanks for the email. I suppose the one thing I'd like to stress again
is that we wish to authenticate a machine, not a user. Many users may
log in to a certain machine (via a username and password that we would
issue). What we need to do on our system is to ensure that the user
logging is valid to log in on that particular computer ('terminal' as
our customer calls them). The terminal itself is connected to the
company that the user works for in our database.
Regards
DenisOn Fri, Jan 30, 2009 at 12:08 AM, Arshad Noor <[email protected]> wrote: > Denis, > > You have already made the appropriate leap to this conclusion. > I was going to suggest that there is something atypical about > your application architecture if you're relying on authentication > of the *machine* without the use of a hardware token - such as a > smartcard, TPM chip, etc. > > What you want are FIPS 140-2 Level 2 (or above) certified crypto > tokens that generate keys on-board and store the certificate of > the user on the token (in addition to the browser). The private > key, however, never leaves the token, thus ensuring its security. > > Once your customers are issued these tokens with their personal > certificates, they can use it on any PC they desire (assuming > that the PC has been configured with the appropriate CA cert- > chain). > > If you absolutely need to rely on authenticating the PC, then > the only option you have is the TPM chip, because it is built > with the chip on the motherboard by the manufacturer. > > As an aside, StrongAuth, Inc., the company I represent has been > in the business of architecting, building & operating some of the > largest closed-PKIs in the world for enterprises, with the use of > crypto-tokens. Most recently, we built a PKI for a bio-technology > company that embedded secure processors with digital certificates > into three different parts of their product, so that they may > strongly authenticate to each other before being used. This was > designed to deter counterfeiters from cloning the consumable part > of their product. The device is currently awaiting FDA approval > before coming to market. > > Feel free to get in touch with us, if we can be of any help to you. > > Arshad Noor > StrongAuth, Inc. > > Denis McCarthy wrote: >> >> Thanks for the suggestion David. Unfortunately we are not connecting >> to an active directory domain - our application has to go out over the >> internet. I did a bit of fiddling with the certificates snap ins, but >> Microsoft only makes certificates installed in the user account >> available to IE. One other thing I've been mulling over - is it >> possible to get a cheap piece of hardware (i.e. a dongle of some sort) >> that you can put an X509 certificate on? If so, could anyone point me >> in the direction of a company that provides such a product? >> Regards >> Denis > > -- > dev-tech-crypto mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- Annadale Technologies Limited -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
