Prasad wrote:
On Wed, April 26, 2006 16:42, Amol Hatwar said:
On Tue, 2006-04-25 at 16:42 +0530, Prasad wrote:
back to the thread, two things first:
What is the use of your dongle if it gets stolen? The *real* issue is
not about the certs. It is about the software that allows you to access
those very certs. Ipso facto, quite a few providers give users
additional software that keeps the private keys encrypted (mostly
symmetric in nature). Again, there are industry standard ways to do
this.
well, its not my dongle ;)
the browsers use the PKCS11 interfaces to interact with hardware tokens
for certificates. The hardware tokens never give out the private key,
hence irrespective of how safe the application is, the certificate private
key is safe. You could then use the hardware token without any worries
even at a internet center (untrusted systems). Its a tradeoff between
losing your hardware token (it is still password protected) and losing
your private key!
I remember the TCS people telling us that the dongle is protected with a
PIN type password (similar to those used in atm cards ?).
Also that if you loose the dongle, you have to immediately call TCS who
will then withdraw the certificate.
So if the certificate is withdrawn, then anyone using it after it is
withdrawn also does not benefit. You are also required to inform the MCA
that you are replacing your digital certificate.
Ofcourse, you will need to pay TCS Rs. 2075 for another digital
certificate. But that is fair and a punishment for being careless with
your equipment. Are you going to do things like that with your credit
card ? If you dont lose your credit card, why will you want to lose your
Digital Certificate Token.
The question is... does TCS follow the standards? Is the software
secure? Whether or not they provide sources of this software, on most
systems strcpy() still causes a lot of pain and anguish. And is this
software compatible with GNU/Linux, BSDs and a host of other OSs out
there.
TCS does follow standards. As long as the private key is in a hardware
token, irrespective of how secure your operating system or application is,
the private key is safe and secure. I would be the first to party if TCS
releases the source-code of these applications... but am not sure if they
would. There definitely are software compatible with GNU/Linux and other
free operating systems - mostly based either on OpenSSL or on Mozilla NSS.
Another important question is... can I generate my own cert and get it
signed by TCS? In case I do not want the dongle? Dongle only certs is a
stupid way of doing things.
I think you can. As far as I remember, the system generates the
certificate request on the client browser - which is on the user side.
There probably is also a way to put in your request directly into a form
(I saw it somewhere, not sure if it was on TCS-CA)
Prasad, I'll be glad if you could point me to the right person inside
TCS so that these questions get answered.
Well, not sure if I can give you any email-ids, but you should still be
able to find some kind of contact information on
http://www.tcs-ca.tcs.co.in/
What concerns me more is the level of ignorance of the people who will
be using these tools! During the hey-days of email, I had seen a
highly-placed government stooge who would distribute his password with
his email. He thought, only people with the password can send him email.
What's worse? One of my friends has a letter from VSNL dating back to
when TCP/IP connections were just introduced in India. It said that the
IP addresses of their DNS servers were a national secret and won't be
revealed under any circumstances.
On one hand what is happening is good from an e-governance POV. But
according to my history books, Indian technology users are really bad at
coping with technological changes. The only solution is easier to use
tools and good fundamental education.
Well, the ignorance of end-users is one probable reason why they need
hardware tokens and not certificates stored in browsers/system. People
rarely are aware of the security risks when they browse internet or do
banking transactions on public machines :(
Prasad
--
http://mm.glug-bom.org/mailman/listinfo/linuxers
