thank you for replying.. This is what I can conclude from the inputs i got.
1. Mozilla has no way to lock/disable the private key export when we export the certificate. 2. I would have to trust my agents/or write in contract , that he will not use the certificate other than the designated PC where the request for the certificate was done. If anyone is having any other opinions about it.Please let me know. Thanks a lot. 2009/7/15 Steffen DETTMER <steffen.dett...@ingenico.com> > * tito wrote on Wed, Jul 15, 2009 at 09:19 +0530: > > Now the threat is, If an agent export the certificate he > > acquired in a USB or in someother way and goes to his home pc > > or somewhere else and he imports the certificate to his > > personal PC and started doing transactions. > > > > He shouldnt be able to export/backup the private key or the > > certificate I have issued to him. > > So it is not only of concern who is performing those transactions > (i.e. who is authorized) but what kind of tool (PC) he uses? Or > where the PC is geographically located? > > As I understand you would like to bind part of security (or > authorization?) to something different than a key. The key shall > ensure someones identity (authentication). > Now you want to prevent a backup of the PC. Since disk imaging is > trivial, you have to use some key store hardware that cannot be > copied (such as a SmartCard or token). Of course this can be > moved (to a different location / PC). > > Even if it couldn't be, it is trivial to bypass, for instance by > installing VNC remote display or set a remote DISPLAY via SSH to > run the tool remotely on the `authorized PC' from some other PC > or mobile phone (VNC client) from another location. > > I think you have to solve this by contract. Persons authorized to > do such transactions, before have to sign a contract that > explicitely states that the person never ever will access it > remotely, in any way not intended or specified or perform a > backup etc pp (hope a laywer can help). > > > Also this is not an issue in IE , as I can disable the option to export > the > > private key.So in IE, this requirement works well. > > But I cannot enforce the agents to use Windows/Linux or IE /Mozilla.The > > agents have the choice of infrastructure they can use.So I cannot enforce > > them to use IE or Windows. > > But you can enforce them not to use Acronis Disk Image, VNC or VMWare? > > oki, > > Steffen > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --[ end of message > ]----------------------------------------------->8======= > > > > About Ingenico: Ingenico is the world’s leading provider of payment > solutions, with over 15 million terminals deployed across the globe. > Delivering the very latest secure electronic payment technologies, > transaction management and the widest range of value added services, > Ingenico is shaping the future direction of the payment solutions market. > Leveraging on its global presence and local expertise, Ingenico is > reinforcing its leadership by taking banks and businesses beyond payment > through offering comprehensive solutions, a true source of differentiation > and new revenues streams. > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose or take any action based on this message or > any information herein. If you have received this message in error, please > advise the sender immediately by reply e-mail and delete this message. Thank > you for your cooperation. > P Please consider the environment before printing this e-mail > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
