* tito wrote on Wed, Jul 15, 2009 at 09:19 +0530: > Now the threat is, If an agent export the certificate he > acquired in a USB or in someother way and goes to his home pc > or somewhere else and he imports the certificate to his > personal PC and started doing transactions. > > He shouldnt be able to export/backup the private key or the > certificate I have issued to him.
So it is not only of concern who is performing those transactions (i.e. who is authorized) but what kind of tool (PC) he uses? Or where the PC is geographically located? As I understand you would like to bind part of security (or authorization?) to something different than a key. The key shall ensure someones identity (authentication). Now you want to prevent a backup of the PC. Since disk imaging is trivial, you have to use some key store hardware that cannot be copied (such as a SmartCard or token). Of course this can be moved (to a different location / PC). Even if it couldn't be, it is trivial to bypass, for instance by installing VNC remote display or set a remote DISPLAY via SSH to run the tool remotely on the `authorized PC' from some other PC or mobile phone (VNC client) from another location. I think you have to solve this by contract. Persons authorized to do such transactions, before have to sign a contract that explicitely states that the person never ever will access it remotely, in any way not intended or specified or perform a backup etc pp (hope a laywer can help). > Also this is not an issue in IE , as I can disable the option to export the > private key.So in IE, this requirement works well. > But I cannot enforce the agents to use Windows/Linux or IE /Mozilla.The > agents have the choice of infrastructure they can use.So I cannot enforce > them to use IE or Windows. But you can enforce them not to use Acronis Disk Image, VNC or VMWare? oki, Steffen --[ end of message ]----------------------------------------------->8======= About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
