[3900] in WWW Security List Archive
Re: Re: More on Certificates - "transmissibility"
daemon@ATHENA.MIT.EDU (si10875@ci.uminho.pt)
Thu Dec 26 17:36:44 1996
From: si10875@ci.uminho.pt
Date: Thu, 26 Dec 1996 17:26:18 +0100
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> > I have a doubt about client authentication using certificates.
> > Suppose I have a perfectly valid certificate, say passed by Thawte,
> > if I lend this certificate to a friend of mine, can he access a secure server
> > where I had permission to enter, even though he is on another IP address
> > and using another email address?
> >
> > As you migth have noticed, may doubt is if secure servers do any
> > run time verification of the information on the certificate.
> >
> > Thanks,
> >
> > JorgeI see your point but from the time you "gave" your certificate to your friend is no
> different than:
> 1. Giving your friend "Power Of Attny".
> 2. Give your buddy your car keys. And he / she wrecks your car.
> 3. Letting your buddy use your home for a party. Who cleans up?
> 4. Handing my credit cards to my wife and saying "go shop".
>
> As far as the Sys Admin at the server is concerned its you! If you give your buddy
> permission to use your good name I hope you can trust your buddy.
>
>
> The above is not a flame. We should consider certificates to be much like a credit
> card.
I figured the answer to my question would be the one I got.
But you have all answered me as if I intended to lend my certificate to some friends,
and my position is the opposite. I want to sell access to a secure server I want to set up,
and this transmissibility problem enables that I have more people accesssing my site than
the clients I have, (my idea is to sell access in a flat rate basis, not per access basis).
I belive there is nothing you can do about that?
Because the product I want to sell is INFORMATION, and because I want to do it
in a flat rate basis, the problem of lending the certificate to a friend is different from
giving the credit card to your wife, your friend using your certificate will cost you nothing.
Jorge
