On 30/1/09 17:07, Denis McCarthy wrote:
Is there a reason why you want certificates involved? Why can't the
machine's website just have a drop-down or cookie or something that says
what store it is in?
The reason why we want certificates involved is because in general we
don't trust the user to do the right thing outside of working hours.
This is the real digression we have between standard usage of X.509
and our required usage.
No, this is nothing to do with X.509. That's just a framework for
public key cryptography and some static claims. Which is little to do
with what you are after.
We don't want to issue John Doe who just got a
job in Kwik-e-Mart with a personal certificate to transact business on
behalf of his employer: we want to give him a username and password
that will allow him to transact business through our application
running on an already authenticated PC under the control of the
Kwik-e-Mart IT department.
What you want is for the transactions only to be doable on designated
PCs. This sort of thing is normally considered to be a VPN question.
The reason it is considered a VPN question is because the use of certs &
keys & passwords is too brittle. The protection has to be outside, not
inside. Consider that a private key is little more than a password (and
in this context it is no more than a password).
a. PC has a password
b. user has a password
c. PC authenticates itself to the system
d. user authenticates herself to the system
e. user authorises a transaction
f. system accepts as authentic the transaction
That's it! The problem of course here is that if the user wants to go
loopy and do business on own-account, she just takes the PC password
home and uses that (or if she is smart, she takes all the PC passwords,
and "compromises" a friend's password, and does the business in a way
that leads people to think it was a hacker...).
(The difference between the passphrase "password" and the X.509
"password" is pretty meaningless here.)
Then, the X.509 installation (and therefore
the knowledge of the pass phrase to accomplish such an installation)
can be performed by a trusted individual within the Kwik-e-Mart
organisation, rather than John Doe (who might get criminal notions and
put through transactions using his X509 certificate under his own name
from his ADSL connection at home).
Um. OK, I see it. Well, X.509 won't solve that. I don't mean to be
rude, but what you need is architecture, not crypto or PKI or tech of
any form. This is not really the place for architecture (I wish it
were! but it ain't). What you need likely is some help in the general
topics of authentication and authorisation and so forth.
If anyone mentions X.509 or public key or protocols to you, you are in
the *wrong place*. Apologies :)
iang
Can't you install a client-side cert in each browser, and then use
client-side SSL? From inside your server-side application you can then read
out the client-side certificate info.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
