Re: Where to store client PEM certificates for an application

Fri, 26 Dec 2008 20:00:06 -0800 

Michael S. Zick wrote:

On Fri December 26 2008, Edward Diener wrote:
By 'dongle' do you mean a hardware 'dongle'. If it is a software dongle you need to spell out for me what you mean. 



There are a lot of devices being marketed for this purpose, but as
an example that it needs to be neither complicated programming or
an expensive solution:

http://pdfserv.maxim-ic.com/en/an/app190.pdf

The basics (no insult intended):

Your client (or your application, on the client's behalf) generates
a public/private key pair -

The public part goes through the certification request process (with
your server) that you are familiar with -
The private part is never seen other than on the client machine during
generation -

The private part (or the key to its protective encryption) is stored in
one (or more) of those shirt button devices.
Once written and locked, short of peeling the silicon a few microns at a
time under an electron microscope - it isn't ever going to be read.
Some makes/models even have the stored data AES-256 encrypted, so even if 
peeled...

The client can record _their_ private part in as many devices as they
desire - and now they have a physical "thing" that any business knows
how to protect from loss.
Businesses well know how to protect something they can touch.

I am not trying to push a specific product, only giving an example,
even that one manufacturer makes a selection of products.

Bottom line - you might be adding $20-$50 per "button" the client

wants to have - you ship them blank - their software driver can write 
and lock them once the client has their private part ready.


Note: There are laptops and desktops made that already read these
1-wire devices, or a USB based reader can be added to existing machines.



Thanks for the information on these devices. I will mention this to the 
person for whom I work. The practical situation is that the device must 
be distributed to all end users who buy the application and they must 
"install" such a device on their computers. I do not think this is a 
viable solution for our application but I do understand that some people 
companies may use it for their application.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

























					Reply via email to