Re: Using smartcard as certificate store

From: Daniel James (wastebasket_at_nospam.aaisp.org)
Date: 01/20/05


Date: Thu, 20 Jan 2005 11:06:23 GMT

In article news:<N0zHd.285$r27.52@newsread1.news.pas.earthlink.net>, Wt
wrote:
> What I REALLY want to do is to modify the default certificate store
> for IE so that it would automatically save the certificates
> automatically acquired to smart card while broswing to secure websites.

Why would you want to do that?

When you browse to a secure website the site will TELL you its certificate
- and that certificate might change between visits (the old one might
expire or be revoked) so you really don't want to be keeping an obsolete
copy.

Consider, also, that a smartcard has maybe 16kiB of memory -- and an X509
certificate is typically 1KiB or more -- so you wouldn't be able to store
more than a handful of certificates on one anyway.

What *does* make sense is to store a small number of trusted CA root
certificates on a smartcard and to use these when validating the
certificates that are downloaded when browsing using an untrusted terminal
.. or at least to store the public key hashes of those certificates
(which are smaller, so you can store more of them) so that you know
whether the downloaded certs are genuine. You have to make sure that the
CA certs (or hashes) on the smartcard are kept up-to-date, or you'll risk
rejecting valid server certificates that were generated using newer CA
keys than those whose certificates are stored on the card ... but as long
as you do that the technique provides useful protection against
man-in-the-middle attacks.

Of course, you also want to keep your own certificates(s), for the private
key(s) on the smartcard, with those keys on the smartcard.

Cheers,
 Daniel.