Re: Using smartcard as certificate store

From: Daniel James (wastebasket_at_nospam.aaisp.org)
Date: 01/20/05


Date: Thu, 20 Jan 2005 11:06:23 GMT

In article news:<N0zHd.285$r27.52@newsread1.news.pas.earthlink.net>, Wt
wrote:
> What I REALLY want to do is to modify the default certificate store
> for IE so that it would automatically save the certificates
> automatically acquired to smart card while broswing to secure websites.

Why would you want to do that?

When you browse to a secure website the site will TELL you its certificate
- and that certificate might change between visits (the old one might
expire or be revoked) so you really don't want to be keeping an obsolete
copy.

Consider, also, that a smartcard has maybe 16kiB of memory -- and an X509
certificate is typically 1KiB or more -- so you wouldn't be able to store
more than a handful of certificates on one anyway.

What *does* make sense is to store a small number of trusted CA root
certificates on a smartcard and to use these when validating the
certificates that are downloaded when browsing using an untrusted terminal
.. or at least to store the public key hashes of those certificates
(which are smaller, so you can store more of them) so that you know
whether the downloaded certs are genuine. You have to make sure that the
CA certs (or hashes) on the smartcard are kept up-to-date, or you'll risk
rejecting valid server certificates that were generated using newer CA
keys than those whose certificates are stored on the card ... but as long
as you do that the technique provides useful protection against
man-in-the-middle attacks.

Of course, you also want to keep your own certificates(s), for the private
key(s) on the smartcard, with those keys on the smartcard.

Cheers,
 Daniel.
 



Relevant Pages

  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
    (microsoft.public.windows.server.security)
  • RE: EAP-TLS Client enrollment recovery.
    ... the private keys are not restored when you ... only restore the certificates. ... store in order to extract certificates and keys from it and then putting them ...
    (microsoft.public.platformsdk.security)
  • Re: ipsec lan: IKE: no private key found, ideas?
    ... > Have you got the certificates in the right stores [sounds like you have ... > For the certs you have, computer personal store and corresponding trusted ... > certificates with new private keys having cleared out [save the existing ...
    (microsoft.public.win2000.security)
  • Re: Shared Certificate Store in Active Directory
    ... There is no need to store IPSEC certs in the AD for IPSEC, ... > Active Directory so you can make Certificates and their ... > Certificates rather than Kerberos? ...
    (microsoft.public.win2000.security)
  • Re: Microsoft CA not installing trusted root path in local computer store
    ... > I installed a standalone root CA, I use it to validate vpn l2tp/IPSec> conections, the problem is that when I try to install the root ... > certification path for the CA in the client machine > using the web page, it is installed in te user certificates store, and> not in the local computer certificates store. ...
    (microsoft.public.win2000.security)