Date: Sun, 24 Mar 2013 01:33:11 -0700 From: Doug Hardie <bc979@lafn.org> To: Polytropon <freebsd@edvax.de> Cc: "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org> Subject: Re: Client Authentication Message-ID: <99C3507E-A7C5-4DC0-AB75-26D649CE8C97@lafn.org> In-Reply-To: <20130324092248.76809163.freebsd@edvax.de> References: <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAFYkXjmc47oaCkMMF40oNM3Zsk=L1x6HeyUhYY2pRMfgKf-UZg@mail.gmail.com> <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org> <20130324092248.76809163.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 March 2013, at 01:22, Polytropon <freebsd@edvax.de> wrote: >=20 > Wouldn't there be a possibility to combine key _and_ password? > The key shouldn't have to be removed, but it should only work > with a password (which again is kept individual to each user). > The process has to be made "more uncomfortable" to be secure, > i. e., the password should _not_ be stored, instead it _has_ > to be entered every time the secure connection is to be used. > If a different user gets his hands on a running session (in > terms of user-separation or profiles on a particular machine), > he won't be able to do anything with mail as he does not know > the password, and the password will not be automatically > provided for the sake of being "less complicated". >=20 > I don't know your particular end user machine settings, so this > is just a broad suggestion. Many things in this idea depend on > what software the client systems use, and how this software > actually deals with security-related settings and procedures. The p12 format certificate includes the key and both are encrypted. = This seems like the best distribution format. =46rom what I have read = most browsers can handle this distribution format since it is used in = smart cards. However, on Safari, at least, when you import the = certificate you have to enter the encryption key for the certificate and = key. Then those are stored in the keychain (without any additional = reference to that encryption key). They than can be used by anyone on = that machine. It kind of defeats all the effort for security up to that = point. DoD addresses this issue by somehow making the certificate not be = imported into the keychain, but retained on the smart card only. = Pulling the card from the reader eliminates any future use of it. Thats = what I would like to achieve. -- Doug=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99C3507E-A7C5-4DC0-AB75-26D649CE8C97>