Just a thought. If the MAC is part of the client certifcate, why would that prevent anything? If you want to check the MAC, do that somewhere else, because if the client can see it is in the cert, it can be spoofed
HTH Regards, Serge Fonville On Wed, Sep 9, 2009 at 2:32 PM, Anoop C <anoop.cherilth...@sifycorp.com> wrote: > Hi Patrik > > Thanks for the quick response. > I totally agree on your point. Our associates often used to try others > certificate .So I want to remove that threat also by incorporating MAC > address also into the certificates apart from the existing set up. > > Often Wimax CPE vendors used to bind the MAC along with the certificate so > that ones certificate cannot be installed to another CPE. > > I want to remove the risk of certificate stealing. Of course I am usin CRL > for revoking. Still want to know any possibility of adding MAC also to > certificate > > Regards > Anoop C > Access Network Engineering > Sify Technologies Ltd. > Chennai > > Mobile: +91 - 9884015161 > Xtn:2867 > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson > Sent: Wednesday, September 09, 2009 5:50 PM > To: openssl-users@openssl.org > Subject: Re: MAC address binding to the certificate > > Hi there: > > Anoop C wrote: >> Hi all >> >> I am using certificates generated by openssl for authenticating the >> WiFi useres using EAP-TLS 802.1x authentication. >> I would like to add MAC address of the user machines into each user >> certificates so that the certificates used by one machine cannot be used > in >> another machine/PC. >> >> Could anyone please help how to create certificate with MAC address >> binded to it. >> > I think that you may want to revisit your assumptions here - it is > rather trivial to spoof a MAC address, so basing your security on that > is not very good. > > Besides, as long as the user has a valid certificate, why do you care > which machine they log in from? If you can't trust the holder of the > certificate to keep it safe, then you have a different set of issues > that MAC address binding will not save you from. > > Have fun. > > Patrick. > >> Regards >> Anoop >> >> >> >> Get your world in your inbox! >> >> Mail, widgets, documents, spreadsheets, organizer and much more with your > Sifymail WIYI id! >> Log on to http://www.sify.com >> >> ********** DISCLAIMER ********** >> Information contained and transmitted by this E-MAIL is proprietary to >> Sify Limited and is intended for use only by the individual or entity to >> which it is addressed, and may contain information that is privileged, >> confidential or exempt from disclosure under applicable law. If this is a >> forwarded message, the content of this E-MAIL may not have been sent with >> the authority of the Company. If you are not the intended recipient, an >> agent of the intended recipient or a person responsible for delivering > the >> information to the named recipient, you are notified that any use, >> distribution, transmission, printing, copying or dissemination of this >> information in any way or in any manner is strictly prohibited. If you > have >> received this communication in error, please delete this mail & notify us >> immediately at ad...@sifycorp.com >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.409 / Virus Database: 270.13.83/2353 - Release Date: 09/08/09 > 20:45:00 > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
