On Wed, 2009-07-15 at 13:25 +0200, Dr. Stephen Henson wrote:
A possibility would be to use a PKCS#11 soft-token which wont export keys. I'm
not aware of any such thing but it could be done. It would need to encrypt
it's key database in such a way that it would only work on one PC.
I suggest
Thanks a lot for the reply David.
First I will explain my threat model. I have got lot of employees who do
some transactions around the world sitting in their branch offices and I
need to authenticate them using DC. So they raise a request from their
browser and I provide them with a certificate
Hi,
Can you not generate a certificate with the common name as the MAC
address of the PC.
Thanks and regards
Naveen
tito wrote:
Thanks a lot for the reply David.
First I will explain my threat model. I have got lot of employees who
do some transactions around the world sitting in their
@Naveen ,
I am afriad that would not be possible.
1. The agent request using a webpage,There is no way in Javascript you can
get the MAC address.
2. Will the private key export be locked if we give CN as MAC address,i dont
think so.
3.What if the agent takes the network card out and plug into
* tito wrote on Wed, Jul 15, 2009 at 09:19 +0530:
Now the threat is, If an agent export the certificate he
acquired in a USB or in someother way and goes to his home pc
or somewhere else and he imports the certificate to his
personal PC and started doing transactions.
He shouldnt be able to
thank you for replying..
This is what I can conclude from the inputs i got.
1. Mozilla has no way to lock/disable the private key export when we export
the certificate.
2. I would have to trust my agents/or write in contract , that he will not
use the certificate other than the designated PC
On Wed, Jul 15, 2009, tito wrote:
thank you for replying..
This is what I can conclude from the inputs i got.
1. Mozilla has no way to lock/disable the private key export when we export
the certificate.
2. I would have to trust my agents/or write in contract , that he will not
use the
Thanks a lot for the reply..
In the case of IE during the generation (generatePKCS10) we can set an
option that whether we want to enable/disable the export of private key. And
when I did that and tried to export the certificate from IE,the private key
export option was disabled in the wizard.
On Wed July 15 2009, Dr. Stephen Henson wrote:
On Wed, Jul 15, 2009, tito wrote:
thank you for replying..
This is what I can conclude from the inputs i got.
1. Mozilla has no way to lock/disable the private key export when we export
the certificate.
2. I would have to trust
Yes you are correct.This applies to only non-tech savvy users.They are not
going to export the certificate first of all and they are not computer
geeks,they are just common computer users.And they wont be having first hand
knowledge about exporting the certificate or even wont be knowing what a
* Michael S. Zick wrote on Wed, Jul 15, 2009 at 07:38 -0500:
You can approximate that by grabbing the processor's silicon
serial number plus grab the USB stick's silicon serial number
plus a user input (partial) passphrase.
I assume a good virtualisation (maybe some patched VMWare or
alike)
On Wed July 15 2009, Steffen DETTMER wrote:
* Michael S. Zick wrote on Wed, Jul 15, 2009 at 07:38 -0500:
You can approximate that by grabbing the processor's silicon
serial number plus grab the USB stick's silicon serial number
plus a user input (partial) passphrase.
I assume a good
It sounds like the question is how do I lock the client private key,
so the user/attacker can't move it off the office PC?
For the casual user, If you do this, you'll lose your job might work.
For a determined attacker, I can't see how any software-only solution
would work. Consider a hardware
On Tue, Jul 14, 2009, tito wrote:
Hi all ,
I have used SPKAC format to request a digital certificate from mozilla and
signed the request with my master key from open ssl and imported it to my
mozilla. I can readily export (backup)the private key + certificate from
mozilla and import it to
tito wrote:
I have used SPKAC format to request a digital certificate from mozilla
and signed the request with my master key from open ssl and imported it
to my mozilla. I can readily export (backup)the private key + certificate
from mozilla and import it to some other system's mozilla
15 matches
Mail list logo
