On Tue, 2006-04-25 at 16:42 +0530, Prasad wrote:
back to the thread, two things first:
- I work in TCS, but am not here to defend it
Good!
- Starting this thread back only to solve the problems with digital
certificates issued by TCS-CA (I once worked on the digital cerficates and related tools support for GNU/Linux here).
Even better :).
We tested the digital certificates with Firefox and OpenSSL on GNU/Linux and they did work. While I have no information about what M$ windows tools and software are being distributed along with the USB token, but as far as I know all those tools also exist for GNU/Linux - atleast inside TCS ;)
Digital certs have to be standards based to be of any use... Make them on any OS, they'll be trusted as long as they are signed by a valid/popular/trusted CA.
We normally associate the lack of awareness of issues like vendor lock-in and the philosophy of FOSS etc., with non-IT people. The sad truth is that even with the IT community, there are lots of people who are not aware of these issues - lots of them in big companies like TCS. The older have an excuse but there are a huge number of youngsters who are not aware too!
What is the use of your dongle if it gets stolen? The *real* issue is not about the certs. It is about the software that allows you to access those very certs. Ipso facto, quite a few providers give users additional software that keeps the private keys encrypted (mostly symmetric in nature). Again, there are industry standard ways to do this.
The question is... does TCS follow the standards? Is the software secure? Whether or not they provide sources of this software, on most systems strcpy() still causes a lot of pain and anguish. And is this software compatible with GNU/Linux, BSDs and a host of other OSs out there.
Another important question is... can I generate my own cert and get it signed by TCS? In case I do not want the dongle? Dongle only certs is a stupid way of doing things.
Prasad, I'll be glad if you could point me to the right person inside TCS so that these questions get answered.
What concerns me more is the level of ignorance of the people who will be using these tools! During the hey-days of email, I had seen a highly-placed government stooge who would distribute his password with his email. He thought, only people with the password can send him email.
What's worse? One of my friends has a letter from VSNL dating back to when TCP/IP connections were just introduced in India. It said that the IP addresses of their DNS servers were a national secret and won't be revealed under any circumstances.
On one hand what is happening is good from an e-governance POV. But according to my history books, Indian technology users are really bad at coping with technological changes. The only solution is easier to use tools and good fundamental education.
Regards,
ah