Hi,
Can you not generate a certificate with the common name as the MAC
address of the PC.
Thanks and regards
Naveen
tito wrote:
Thanks a lot for the reply David.
First I will explain my threat model. I have got lot of employees who
do some transactions around the world sitting in their branch offices
and I need to authenticate them using DC. So they raise a request from
their browser and I provide them with a certificate from my
openssl.The browser will be in the PC of the office branches.
Now the threat is, If an agent export the certificate he acquired in a
USB or in someother way and goes to his home pc or somewhere else and
he imports the certificate to his personal PC and started doing
transactions.This cannot be allowed and the agent should do only
transactions from his office PC allotted to him.
As you have said,
simply graying out the option to export the key is sufficient.
But the agent is a franchisee and I cannot force them to install or do
something in their pcs,nor can I check whether they are ensuring the
instructions.So I cannot force or tell the agent to do some
configuration/modification in his PC or browser.
if he uninstalls and deletes the certificates/browser or change his PC
,I shall issue him a new certificate.
He shouldnt be able to export/backup the private key or the
certificate I have issued to him.
Also this is not an issue in IE , as I can disable the option to
export the private key.So in IE, this requirement works well.
But I cannot enforce the agents to use Windows/Linux or IE
/Mozilla.The agents have the choice of infrastructure they can use.So
I cannot enforce them to use IE or Windows.
2009/7/15 David Schwartz <dav...@webmaster.com
<mailto:dav...@webmaster.com>>
tito wrote:
> I have used SPKAC format to request a digital certificate from
mozilla
> and signed the request with my master key from open ssl and
imported it
> to my mozilla. I can readily export (backup)the private key +
certificate
> from mozilla and import it to some other system's mozilla
browser. I dont
> want this to happen. I dont want the private key to be exported.
is there
> any option in openssl to disable this.
It's not really possible to give you useful advice without
understanding
your threat model. For example, would simply graying out the option to
export the key suffice? Or do you need to prevent the key from being
extracted even by a determined attacker? (For example, is simply
shutting
off Mozilla's export option sufficient even if Mozilla is still
capable of
exporting the key?)
In principle, for Mozilla to prove it is entitled to use the
certificate, it
must perform operations using the private key. Unless the key is
stored in a
hardware token, there is no way to stop it from exporting the very
same
private key data it is using to perform those key operations.
What is your outer problem? Are you trying to prevent against user
error?
Are you trying to protect against malicious corruption of the
browser by a
determined attacker with access to the local system?
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org <mailto:openssl-users@openssl.org>
Automated List Manager
majord...@openssl.org <mailto:majord...@openssl.org>
