Need objective arguments against double certificate

Tue, 14 Jun 2005 03:15:52 -0700

My apologies if this is not really an openssl question. Just want to get some ideas from the gurus here.
There is this company (a so-called partner) which has hired an external security consultant to oversee the security of a project which makes use of crypto quite heavily. The security consultant didn't do anything else, except coming up with a scheme that requires that every key must have two certificates, one certificate used for encryption and the other used for signature. The key and certificates are stored in a USB token. The reason from the so-called security consultant was that it is more secure this way. And he got the backup from the CEO (well, the CEO brought him in). 


We called it bullshit, and were having a hot debate, most people (the 
technical people) are opposed to that, saying that there is nothing secure 
about this scheme. If you want to separate the signature key from the 
encryption key, you should have 2 keys, and not one key with 2 certificates. 
This does not make any sense.



The CEO said he trusts the "security expert", and if we want to change that, 
we need to come up with better arguments than that.



It does not affect us too much, as we just need to modify little portion of 
our code (mostly java) to handle the double-certificates thingy. But the 
annoying thing is, the 2 certificates do not even specify usage attributes 
correctly. And our security expert said it does not matter, we (the 
programmers) have to figure that out, which cert is used for signature and 
which one is used for encryption. We do all kinds of tricks to handle that, 
and it's not even reliable.



And the bad thing is that he also wants to re-engineer all other existing 
applications to use this double-cert scheme. Even worse, the consultant from 
the local CA also supports that scheme, because (well, that's 
understandable) the CA got to sell two certs to each user.


What do you think?

coco

_________________________________________________________________

Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to