One thing we are investigating is the possibility of writing an ActiveX component to access the computer account to pull the certificate information from there for a browser (we'd probably need to glue the ActiveX component together with some sort of Firefox plugin to get this to work in Firefox, but I think it should be do-able). Would anyone know of any company or individual that I could hire to do such development (our expertise would be mainly server-side stuff and, while we could do it, it would take us much longer than someone who has expertise in the area).
Ian, I think you may have misunderstood what I meant by 'transaction' (nothing to be ashamed of, as I can't think of any word with more meanings). When I said 'transaction', I wasn't implying transactional integrity or something like that, I was referring to the process one of our users goes through on our web application to process the financial transaction: i.e., fill in the various fields that need to be filled in on the html page, press submit, and get the confirmation. The application itself is already built and in pilot - we just need to find a balanced security model for a subset of our customers (none of whom are participating in the pilot) that will hit the sweet spot between security and ease of use. We have plenty of security options we could use, but I think if we could access an X.509 certificate from the machine certificate store it would be right on the money for us. Denis On Fri, Jan 30, 2009 at 1:24 PM, Eddy Nigg <[email protected]> wrote: > On 01/30/2009 02:31 PM, Denis McCarthy: >> >> Actually, one other thing. While I agree with you on the thin clients >> issue, many of our applications use their own PC's to run our >> application (they have other applications they use on their PC besides >> ours) >> > > Typically server certificates are issued to servers, not clients. Perhaps if > your applications behave like servers, they should use a server certificate, > if your applications need to authenticate to a different server then they > should use client certificates. Both of them don't have to be bound to a > person (individual) per se. Many low-assurance certificates are exactly > that. > > Now, when installing a certificate in Windows platforms you've got the > possibility to choose the computer account (with the right access rights). > You can install all kinds of certificates to the computer account. Making > the authentication call is of course a different story. Windows has for > example smart card logon, which is again bound to a user, not machine. > Having the machine authenticate might be also possible with AD and DC. > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [email protected] > Blog: https://blog.startcom.org > -- > dev-tech-crypto mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- Annadale Technologies Limited -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
