Re: Using smartcard as certificate store

From: Daniel James (wastebasket_at_nospam.aaisp.org)
Date: 01/21/05 

Date: Fri, 21 Jan 2005 11:42:15 GMT

In article news:<1lUHd.1065$YD5.130@newsread3.news.pas.earthlink.net>, Wt
wrote:
> > Why would you want to do that?
> What we are doing here is what they call secure personal server on
> a USB token. It allows the user to perform secure operations like web
> browsing, e-mail by plugging it into any host machine, and taking any
> secure info with it when it is unplugged from the host machine. For
> that reason, we want to put the certificates we acquire when browsing
> to secure website on the token, ...

I agree that that's a good example of a situation in which you want to
keep a trusted store of CA ertificates and your own private keys and
their certificates on the token.

You should still not need to store certificates from arbitrary websites
on your token, and I still can't think of any reason why you should want
to ... unless you're talking about using some website to obtain a
certificate for your *own* key?

> > Consider, also, that a smartcard has maybe 16kiB of memory -- and
> > an X509 certificate is typically 1KiB or more -- so you wouldn't
> > be able to store more than a handful of certificates on one anyway.
> The USB drive has plenty of memory, from 256M upwards.

OK <smile> you said "smartcard" and I didn't realize you meant "thing
that isn't a smartcard but is treated by CAPI as though it were one"!

> I hope IE can manage the certificates as it usually does when the
> certificate store is on the host machine. All I want to do here is
> to relocate the store to the USB token, and have IE store to, and
> retrieve from, it.

It's not what IE does that's important, here, it's what CAPI does (IE
just lets CAPI get on with it). I think you're out of luck, though, CAPI
only looks for certificates in its local certificate store (on disk).

The nearest you're likely to be able to get to what you want is to copy
the certificates from the token to the local CAPI store ... but that's
far from ideal.

Cheers,
 Daniel.

Relevant Pages

  • Re: Commercial Certificate
    ... I created a new one based on Secure Remote Password ... Sends Username in the clear. ... > where in Williams scenario strong named assemblies are used I have found ... > for someone who DOES NOT WANT TO USE X509 certificates, Kerberos, or SSL ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: IPSEC with non-domain Server
    ... Certificates are not the "most secure", rather, they are one of the 2 "more ... > authenticate computers and protect traffic integrity and confidentiality ... > Attacks on IPSec and Other Security Concerns ...
    (microsoft.public.security)
  • Re: Active Directory User Object certificate store to personal certificate store
    ... Active Directory doesn't store private keys. ... the keys and certificates are stored in the user profile - you can ... > Is there a way to move AD published certs to from the Active Directory ... I can see the certs in the AD User Object cert store for ...
    (microsoft.public.windows.server.security)
  • RE: EAP-TLS Client enrollment recovery.
    ... the private keys are not restored when you ... only restore the certificates. ... store in order to extract certificates and keys from it and then putting them ...
    (microsoft.public.platformsdk.security)
  • Re: Hashed password secure?
    ... that only opens up when a user logs on to ... >]store should be as safe as possible, and as resistent to brute force as ... > lock for a safe whose walls are made of paper. ... Of course I'll be begging my boss for more secure systems! ...
    (sci.crypt)