RE: Client certificates: Key store per workstation, not per user?

Rainer . Hoerbe Fri, 09 Mar 2001 07:40:40 -0800
My project is a inter-government project over the internet, with 2400
independent organizations in the first phase. Authentication is a important
issue. We agreed, that smart cards would be a good solution, but are beyond
the timescale of the projekt, because we cannot implement that for 10000+
users within 6 month. Besides, there is a country-wide project going on,
that targets this issue with a 2-year timeframe.

UserID and password over SSL are considered as insufficient. First, because
it is difficult that passwords are kept secret properly in this environment.
AKAIK, this is still the security threat #1. Second, I think, that without
client-certificates man-in-the-middle attacks are possible, using tools like
dsniff.

Hence, lacking smart cards, an authentication scheme using userid/pw plus
client certificates werde devised. An administrator can only download and
install a certificate, a user can only access the application using the
userid. Well, the user could export the certificate and post it on a public
server, but that is definitely a different thing that just writing down the
password on the back of the mousepad.

The authentication service will check the relationship between certificate
and userid. Ideally a user should be able to work from any PC certified for
her organization, but nowhere else. In this sense, we do not use personal
certificates, but 'organizational' certificates, as a user may use any
certificate within the organization. We cannot rely on all organizations
having roaming profiles, where all users would have access to the
certificate without depending on the location.

The question is the CertStore. To reduce the administrative burden, only one
certificate per workstation would suffice. Kind of "c:\windows\profiles\all
users\keystorefile".

I would like to your opinion
Rainer

-----Original Message-----
From: bruce cartland [mailto:[EMAIL PROTECTED]]
Sent: Freitag, 9. März 2001 14:50
To: [EMAIL PROTECTED]
Subject: Re: Client certificates: Key store per workstation, not per
user?


I thought Kerberos was symmetric?

I'd like to hear more on the requirement(s)? Identify workstations for
audit? Identify users? Not use clear text?

I'd love to hear opinion but client side certs for workstations sounds a bit
strange. The workstation would have to store the keystore/cert unlock code
somewhere. If you just want to identify the workstation (for audit
presumably) the server can tell the IP address (can be spoofed though).
Perhaps it would be better if the server picked up the MAC address of the
workstation? (haven't found a good way of doing that without running some
kind of service on the workstation the server can talk back to - which can
run into problems with routers/proxies/NATs between the server & client).

User identity + encryption can be done just using userid/pwd + server SSL.

What about using smartards & client side certs for mobile users?

I've been told of a nice (commercial) implementation which extends IE or
netscape where the server can initiate a client cert request over http/s.
The browser prompts the user to select the keystore/cert, etc. These may be
stored on a smartcard. I'm hoping to get a demo soon. I'll be very
interested to here about alternatives.

regards
bc
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 09, 2001 11:48 PM
Subject: RE: Client certificates: Key store per workstation, not per user?


> Does it work in a browser-only environment? Would communicator support it?
>
> Rainer
>
> -----Original Message-----
> From: Jean-Marc Desperrier [mailto:[EMAIL PROTECTED]]
> Sent: Freitag, 9. März 2001 13:31
> To: [EMAIL PROTECTED]
> Subject: Re: Client certificates: Key store per workstation, not per
> user?
>
>
> [EMAIL PROTECTED] wrote:
>
> > I would like to use SSL with client certificates, but assign them to
> > workstations instead of users.
>
> I think you should watch what can be done with kerberos for this kind of
> feature.
>
> > Does someone know, if there is a way to install a certificate on Win
> NT/2K,
> > that is shared by all users of a workstation?
>
> 2K supports Kerberos, with certificate I believe
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Client certificates: Key store per workstation, not per user?

Reply via email to
