RE: Storing Client Certificates
From: Todd Bright (ToddBright_at_discussions.microsoft.com)
Date: 03/24/05
- Next message: Todd Bright: "RE: Storing Client Certificates"
- Previous message: Valery Pryamikov: "Re: Windows Authentication question"
- In reply to: Todd Bright: "Storing Client Certificates"
- Next in thread: Michel Gallant: "Re: Storing Client Certificates"
- Reply: Michel Gallant: "Re: Storing Client Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Mar 2005 09:07:02 -0800
Maybe I should back up here. From what I've read, the client-side cert is
generated based on the server-side cert and is used for authentication to
access the web site on the IIS server.
We are going to have several hundred (or thousand) clients accessing our
servers. As an extra security measure we are going to use client-side certs
in order to validate that a client accessing a web server is actually one of
our installed clients and not just someone coming in thru a browser who
"happened" upon the URL.
I've tested this and if you tell your web site in IIS to require client
certificates and the client doesn't have the appropriate client certificate
the server will return an error page. Now, if someone hacks into the
client's machine and is able to find the cert file (assuming it's stored on
the HDD in its own file), the hacker will be able to do anything that our
client application is doing (i.e. upload files). He will, in a sense, become
our client application as far as the server is concerned.
Am I way off base here? If so, what is the use of client certificates other
than to authenticate with the server??? If not, my question still stands...
what's a good way to store the client cert on the client machine so noone can
get their hands on it and use it to authenticate themselves with the server?
"Todd Bright" wrote:
> Is there a way in .Net to specify that an embedded resource can only be
> accessed from within the assembly?
>
> Or, in general, what is the best/most secure way of storing a client-side
> cert without having to have a user profile?
>
> Thanks,
> Todd
- Next message: Todd Bright: "RE: Storing Client Certificates"
- Previous message: Valery Pryamikov: "Re: Windows Authentication question"
- In reply to: Todd Bright: "Storing Client Certificates"
- Next in thread: Michel Gallant: "Re: Storing Client Certificates"
- Reply: Michel Gallant: "Re: Storing Client Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
