[3891] in WWW Security List Archive
Re: More on Certificates - "transmissibility"
daemon@ATHENA.MIT.EDU (David Murray)
Mon Dec 23 16:04:41 1996
From: "David Murray" <dmurray@pdssoftware.com>
To: www-security@ns2.rutgers.edu
Date: Mon, 23 Dec 1996 13:50:49 -0500
Reply-To: dmurray@pdssoftware.com
In-reply-to: <32BD509C.2E92@90.deere.com>
Errors-To: owner-www-security@ns2.rutgers.edu
> si10875@ci.uminho.pt wrote:
> >
> > I have a doubt about client authentication using certificates.
> > Suppose I have a perfectly valid certificate, say passed by Thawte,
> > if I lend this certificate to a friend of mine, can he access a secure server
> > where I had permission to enter, even though he is on another IP address
> > and using another email address?
> >
> > As you migth have noticed, may doubt is if secure servers do any
> > run time verification of the information on the certificate.
> >
> > Thanks,
> >
> > JorgeI see your point but from the time you "gave" your certificate to your friend is no
> different than:
> 1. Giving your friend "Power Of Attny".
> 2. Give your buddy your car keys. And he / she wrecks your car.
> 3. Letting your buddy use your home for a party. Who cleans up?
> 4. Handing my credit cards to my wife and saying "go shop".
>
> As far as the Sys Admin at the server is concerned its you! If you give your buddy
> permission to use your good name I hope you can trust your buddy.
>
[snip]
PMFJI, but there's a slight difference here that Jorge is also
glossing over. My keys and my credit card are in my pocket. My
digital ID is on a computer that, well, look at some of the obtuse
things that MS does, and you'll see my concern. My point is is that
I may not be able to physically secure my computer, so I would never
know that my 'keys' had been lifted. How is this non-repudiation?
Dave
David N. Murray | PDS
Sr. Software Engineer | 670 Sentry Parkway
610/828-4294 | Blue Bell, PA 19422
dmurray@pdssoftware.com |
