Re: PKI and Relying Parties

From: Anne & Lynn Wheeler (lynn@garlic.com)
Date: 03/27/02 

From: Anne & Lynn Wheeler <lynn@garlic.com>
Date: Wed, 27 Mar 2002 18:16:02 GMT

Paul Rubin <phr-n2002a@nightsong.com> writes:
> If you're trying to use a cert to authenticate a high-value extranet
> peer, and you don't want to run your own CA, the safest approach is to
> configure your software to accept only specific certs kept in a list
> that you maintain. Have the peer get their cert (whether class 3 or
> whatever), then you authenticate them offline by whatever method you
> desire before installing their cert in your software. Normally
> there's enough hassle (both business and technical) in bringing a new
> extranet partner online that adding some cert verification doesn't
> make it that much worse. But I guess it depends on your specific
> situation.
>
> You might want to read Bruce Schneier's article on PKI risks, and
> his book "Secrets and Lies".

some number of financial institutions have gone to "relying party
only" certificates ... i.e. certificates issued by the institution and
only useful by that insitution. what they found out was that they were
interested in public key authentication ... which (apparently when
they started) they thought was equivalent to PKI, CAs, certificates,
etc.

What they started to find out was that the transactions & operations
were accessing the same infrastructure that effectively was used for
issuing the certificates ... including real time status information.

It was then trivially possible to show that the actual issuance of a
certificate as redundant and superfulous.

random refs:
http://www.garlic.com/~lynn/subtopic.html#radius
http://www.garlic.com/~lynn/subtopic.html#sslcerts
http://www.garlic.com/~lynn/subtopic.html#privacy 

-- 
Anne & Lynn Wheeler   | lynn@garlic.com, http://www.garlic.com/~lynn/

Relevant Pages

  • Re: EAP-TLS CA Authentication issue
    ... I have a 2003 IAS server running on a system with a 2003 standalone ... I have installed certificates on both the IAS server ... CA snapin and see the Cert in the local machine personal certs store ... try to authenticate the IAS server reports the following error: ...
    (microsoft.public.internet.radius)
  • Re: Map to share using certificate rather than login/password?
    ... mapping accounts like this requires a domain and Windows 2000. ... cert that authenticates an entity - it's the private key associated with the ... All the systems need to map to a particular share ... > reside on all the systems that would be used to authenticate rather than ...
    (microsoft.public.win2000.security)
  • RE: Windows Mobile 6
    ... Why is the cert on the endpoint to authenticate ... mobile device based on the fact that the mobile device is trusted due to the ...
    (microsoft.public.windows.server.active_directory)
  • Authenticate to WSS using Client Certificates
    ... I can't seem to find information anywhere on successfully deploying a WSS ... cert, etc. - we are using client certificates successfully for OWA, etc.). ... get prompted to choose my cert - which I present and authenticate against. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: PKI and Relying Parties
    ... > If you're trying to use a cert to authenticate a high-value extranet ... > peer, and you don't want to run your own CA, the safest approach is to ... only" certificates ... ...
    (comp.security.misc)