Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:33:11 -0700
From:      Doug Hardie <>
To:        Polytropon <>
Cc:        " List" <>
Subject:   Re: Client Authentication
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 24 March 2013, at 01:22, Polytropon <> wrote:

> Wouldn't there be a possibility to combine key _and_ password?
> The key shouldn't have to be removed, but it should only work
> with a password (which again is kept individual to each user).
> The process has to be made "more uncomfortable" to be secure,
> i. e., the password should _not_ be stored, instead it _has_
> to be entered every time the secure connection is to be used.
> If a different user gets his hands on a running session (in
> terms of user-separation or profiles on a particular machine),
> he won't be able to do anything with mail as he does not know
> the password, and the password will not be automatically
> provided for the sake of being "less complicated".
> I don't know your particular end user machine settings, so this
> is just a broad suggestion. Many things in this idea depend on
> what software the client systems use, and how this software
> actually deals with security-related settings and procedures.

The p12 format certificate includes the key and both are encrypted.  =
This seems like the best distribution format.  =46rom what I have read =
most browsers can handle this distribution format since it is used in =
smart cards.  However, on Safari, at least, when you import the =
certificate you have to enter the encryption key for the certificate and =
key.  Then those are stored in the keychain (without any additional =
reference to that encryption key).  They than can be used by anyone on =
that machine.  It kind of defeats all the effort for security up to that =

DoD addresses this issue by somehow making the certificate not be =
imported into the keychain, but retained on the smart card only.  =
Pulling the card from the reader eliminates any future use of it.  Thats =
what I would like to achieve.

-- Doug=

Want to link to this message? Use this URL: <>