From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 08:33:17 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9939515E6 for ; Sun, 24 Mar 2013 08:33:17 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 5B296695 for ; Sun, 24 Mar 2013 08:33:16 +0000 (UTC) Received: from [10.0.1.2] (static-71-177-216-148.lsanca.fios.verizon.net [71.177.216.148]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id r2O8XC2Y066784 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 24 Mar 2013 01:33:13 -0700 (PDT) (envelope-from bc979@lafn.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: Client Authentication From: Doug Hardie In-Reply-To: <20130324092248.76809163.freebsd@edvax.de> Date: Sun, 24 Mar 2013 01:33:11 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <99C3507E-A7C5-4DC0-AB75-26D649CE8C97@lafn.org> References: <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org> <20130324092248.76809163.freebsd@edvax.de> To: Polytropon X-Mailer: Apple Mail (2.1503) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 08:33:17 -0000 On 24 March 2013, at 01:22, Polytropon wrote: >=20 > Wouldn't there be a possibility to combine key _and_ password? > The key shouldn't have to be removed, but it should only work > with a password (which again is kept individual to each user). > The process has to be made "more uncomfortable" to be secure, > i. e., the password should _not_ be stored, instead it _has_ > to be entered every time the secure connection is to be used. > If a different user gets his hands on a running session (in > terms of user-separation or profiles on a particular machine), > he won't be able to do anything with mail as he does not know > the password, and the password will not be automatically > provided for the sake of being "less complicated". >=20 > I don't know your particular end user machine settings, so this > is just a broad suggestion. Many things in this idea depend on > what software the client systems use, and how this software > actually deals with security-related settings and procedures. The p12 format certificate includes the key and both are encrypted. = This seems like the best distribution format. =46rom what I have read = most browsers can handle this distribution format since it is used in = smart cards. However, on Safari, at least, when you import the = certificate you have to enter the encryption key for the certificate and = key. Then those are stored in the keychain (without any additional = reference to that encryption key). They than can be used by anyone on = that machine. It kind of defeats all the effort for security up to that = point. DoD addresses this issue by somehow making the certificate not be = imported into the keychain, but retained on the smart card only. = Pulling the card from the reader eliminates any future use of it. Thats = what I would like to achieve. -- Doug=