Re: question about private certificate stored on smart card
From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 02/20/05
- Previous message: IdentIT Inc: "Re: question about private certificate stored on smart card"
- In reply to: IdentIT Inc: "Re: question about private certificate stored on smart card"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 20 Feb 2005 20:36:23 +0100
Thanks for the FYI. I will take a look :-)
Mike
"Brian Komar (IdentIT Inc)" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1c8298d475832157989686@msnews.microsoft.com...
> In article <ODFkoR1FFHA.1260@TK2MSFTNGP12.phx.gbl>, mihap-
> news@atlantis.si says...
>> Hi,
>>
>> With Windows 2003 CA there is an option to archive user's private key.
>> Archival is done automatically when certificate is issued. As far as I
>> was
>> able to find out there are no smart card CSP available today that would
>> support this feature. So what you would have to do is issue a certificate
>> that would enable users file encryption on a hard drive and later import
>> it
>> on a smart card.
>> In general smart card archival was designed to prevent data loss. After
>> user
>> loses his private key, you are able to recover it from certificate
>> database,
>> but you should also revoke the certificate (user is still able to decrypt
>> all his information) and issue user a new certificate.
>>
>> You have to know that doing all this (and storing smart card with user's
>> private keys) in a safe practically destroys the whole concept of
>> deploying
>> PKI. If there is a security breach on my documents I can always blame it
>> on
>> people who have access to the safe with the smart cards (and if I was the
>> administrator I wouldn't want such responsibility).
>>
>> Situation that you describe should be addressed when you were deploying
>> your
>> CA architecture and should have a written procedure on what to do when
>> users
>> come into the office without the smart card. There is also user education
>> part of deploying PKI where I usually explain to the end user to consider
>> smart card as a passport. You don't get very far on your trip without it
>> (and the customs don't issue temporary passports).
>>
>> On the other hand I usually try to deploy integrated smart cards (smart
>> cards that are also proximity cards) for my customers. These cards enable
>> users to access their office and register their arrival time. In this
>> case
>> it is less likely they will forget it at home.
>>
>>
> Just as an FYI, I do work with a product that does allow the recovery of
> encryption certificate private keys (if they are archived) to smart card
> devices. The software in question is the registration authority idNexus
> (see www.alacris.com for details).
>
> The software does allow recovery of smart card encryption certificates.
> This is accomplished through the use of smart card middleware (PKCS #11
> libraries typically). The software allows both the duplication and
> recovery operations.
>
> Brian
- Previous message: IdentIT Inc: "Re: question about private certificate stored on smart card"
- In reply to: IdentIT Inc: "Re: question about private certificate stored on smart card"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
