On Wed, 2009-07-15 at 13:25 +0200, Dr. Stephen Henson wrote:
> A possibility would be to use a PKCS#11 soft-token which wont export keys. I'm
> not aware of any such thing but it could be done. It would need to encrypt
> it's key database in such a way that it would only work on one PC.
>
I sugges
It sounds like the question is "how do I lock the client private key,
so the user/attacker can't move it off the office PC?"
For the casual user, "If you do this, you'll lose your job" might work.
For a determined attacker, I can't see how any software-only solution
would work. Consider a hardwa
On Wed July 15 2009, Steffen DETTMER wrote:
> * Michael S. Zick wrote on Wed, Jul 15, 2009 at 07:38 -0500:
> > You can approximate that by grabbing the processor's silicon
> > serial number plus grab the USB stick's silicon serial number
> > plus a user input (partial) passphrase.
>
> I assume a g
* Michael S. Zick wrote on Wed, Jul 15, 2009 at 07:38 -0500:
> You can approximate that by grabbing the processor's silicon
> serial number plus grab the USB stick's silicon serial number
> plus a user input (partial) passphrase.
I assume a good virtualisation (maybe some patched VMWare or
alike)
Yes you are correct.This applies to only non-tech savvy users.They are not
going to export the certificate first of all and they are not computer
geeks,they are just common computer users.And they wont be having first hand
knowledge about exporting the certificate or even wont be knowing what a
ce
On Wed July 15 2009, Dr. Stephen Henson wrote:
> On Wed, Jul 15, 2009, tito wrote:
>
> > thank you for replying..
> >
> > This is what I can conclude from the inputs i got.
> >
> > 1. Mozilla has no way to lock/disable the private key export when we export
> > the certificate.
> >
> > 2. I woul
Thanks a lot for the reply..
In the case of IE during the generation (generatePKCS10) we can set an
option that whether we want to enable/disable the export of private key. And
when I did that and tried to export the certificate from IE,the private key
export option was disabled in the wizard.
B
On Wed, Jul 15, 2009, tito wrote:
> thank you for replying..
>
> This is what I can conclude from the inputs i got.
>
> 1. Mozilla has no way to lock/disable the private key export when we export
> the certificate.
>
> 2. I would have to trust my agents/or write in contract , that he will not
>
thank you for replying..
This is what I can conclude from the inputs i got.
1. Mozilla has no way to lock/disable the private key export when we export
the certificate.
2. I would have to trust my agents/or write in contract , that he will not
use the certificate other than the designated PC whe
* tito wrote on Wed, Jul 15, 2009 at 09:19 +0530:
> Now the threat is, If an agent export the certificate he
> acquired in a USB or in someother way and goes to his home pc
> or somewhere else and he imports the certificate to his
> personal PC and started doing transactions.
>
> He shouldnt be abl
@Naveen ,
I am afriad that would not be possible.
1. The agent request using a webpage,There is no way in Javascript you can
get the MAC address.
2. Will the private key export be locked if we give CN as MAC address,i dont
think so.
3.What if the agent takes the network card out and plug into h
Hi,
Can you not generate a certificate with the common name as the MAC
address of the PC.
Thanks and regards
Naveen
tito wrote:
Thanks a lot for the reply David.
First I will explain my threat model. I have got lot of employees who
do some transactions around the world sitting in their branc
Thanks a lot for the reply David.
First I will explain my threat model. I have got lot of employees who do
some transactions around the world sitting in their branch offices and I
need to authenticate them using DC. So they raise a request from their
browser and I provide them with a certificate f
tito wrote:
> I have used SPKAC format to request a digital certificate from mozilla
> and signed the request with my master key from open ssl and imported it
> to my mozilla. I can readily export (backup)the private key + certificate
> from mozilla and import it to some other system's mozilla br
On Tue, Jul 14, 2009, tito wrote:
> Hi all ,
>
> I have used SPKAC format to request a digital certificate from mozilla and
> signed the request with my master key from open ssl and imported it to my
> mozilla. I can readily export (backup)the private key + certificate from
> mozilla and import
Hi all ,
I have used SPKAC format to request a digital certificate from mozilla and
signed the request with my master key from open ssl and imported it to my
mozilla. I can readily export (backup)the private key + certificate from
mozilla and import it to some other system's mozilla browser.I don
Hi all ,
I have used SPKAC format to request a digital certificate from mozilla and
signed the request with my master key from open ssl and imported it to my
mozilla. I can readily export (backup)the private key + certificate from
mozilla and import it to some other system's mozilla browser.I don
17 matches
Mail list logo
