Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:33:11 -0700
From:      Doug Hardie <bc979@lafn.org>
To:        Polytropon <freebsd@edvax.de>
Cc:        "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org>
Subject:   Re: Client Authentication
Message-ID:  <99C3507E-A7C5-4DC0-AB75-26D649CE8C97@lafn.org>
In-Reply-To: <20130324092248.76809163.freebsd@edvax.de>
References:  <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAFYkXjmc47oaCkMMF40oNM3Zsk=L1x6HeyUhYY2pRMfgKf-UZg@mail.gmail.com> <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org> <20130324092248.76809163.freebsd@edvax.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 24 March 2013, at 01:22, Polytropon <freebsd@edvax.de> wrote:

>=20
> Wouldn't there be a possibility to combine key _and_ password?
> The key shouldn't have to be removed, but it should only work
> with a password (which again is kept individual to each user).
> The process has to be made "more uncomfortable" to be secure,
> i. e., the password should _not_ be stored, instead it _has_
> to be entered every time the secure connection is to be used.
> If a different user gets his hands on a running session (in
> terms of user-separation or profiles on a particular machine),
> he won't be able to do anything with mail as he does not know
> the password, and the password will not be automatically
> provided for the sake of being "less complicated".
>=20
> I don't know your particular end user machine settings, so this
> is just a broad suggestion. Many things in this idea depend on
> what software the client systems use, and how this software
> actually deals with security-related settings and procedures.

The p12 format certificate includes the key and both are encrypted.  =
This seems like the best distribution format.  =46rom what I have read =
most browsers can handle this distribution format since it is used in =
smart cards.  However, on Safari, at least, when you import the =
certificate you have to enter the encryption key for the certificate and =
key.  Then those are stored in the keychain (without any additional =
reference to that encryption key).  They than can be used by anyone on =
that machine.  It kind of defeats all the effort for security up to that =
point.

DoD addresses this issue by somehow making the certificate not be =
imported into the keychain, but retained on the smart card only.  =
Pulling the card from the reader eliminates any future use of it.  Thats =
what I would like to achieve.

-- Doug=



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?99C3507E-A7C5-4DC0-AB75-26D649CE8C97>