|
Posted by Al Dunbar on January 13, 2008, 1:14 pm
Please log in for more thread options
> Hi all
>
> In our office we use certificates in smartcards extensively: smart
> card logon, e-mail and so on. In fact, users aren't allowed to make a
> logon with the traditional user/password pair. We use the 'enrollment
> agent' figure to request and deploy the certificates in the smartcards
> without knowing the credentials of our users.
>
> But the human failure is allways present
Ah, yes, the human element. The species is very powerful, as we are all
capable of subverting whatever security measures have been put in place to
protect us from attack ;-)
> and sometimes people (e.g.
> CEO, Controller, Manager and so on) forget their smartcard, so we must
> revocate the certificate, take a new smart card and request a new
> certificate for the user. In the time, they end with 3 or 4 different
> cards.
But only one of those cards will actually contain a valid certificate,
right? If they are frustrated at now knowing which is which, you could put
the date of issue on each, and then the user would know that the one with
the latest date is the valid ones, and the rest should be returned to be
re-cycled.
> So we want to create certificates by software, export them to a file
> in a very secure place, and if a user forgive his card simply take
> the saved certificate and write it to the smart card. But using the
> 'enrrollment agent' figure we only have access to two templates
> (Smartcard user and other) and not to our custom templates. And worse,
> we can only choose hardware CSP, not the software ones.
Smart cards are not my area of experience, let alone expertise, but...
We use entrust PKI certificates, and have a policy against there ever being
more than one copy of each certificate. I am not sure if this is to protect
their integrity (when used, they are occasionally "updated", making them
different from any saved copy) or if there is another security principle
involved, I suspect both might be the case.
> How can I add a new template to the 'enrollment agent' web interface
> and select a software CSP?
I don't know, however, the fact that this seems not to be an option might be
a limitation of the system to protect the user from, for example, identity
theft based on a copy of a certificate. If so, defeating it will effectively
be defeating the security you are hoping to achieve.
> There's another solution for our problem?
I don't know. But it is not your problem so much as that of the users you
support.
As you suggested earlier, the human element plays a significant part in
every security system. That is why certificate issuing systems (and even
password systems) include such actions as revocation and recovery. These
processes need to be at least somewhat of a chore, requiring a fairly
conclusive proof of identity, which cannot generally be easy to achieve. If
this were not the case the unauthorized would find a way to use them too.
/Al
| 
XML Sitemap