Prasad wrote:
On Wed, April 26, 2006 16:42, Amol Hatwar said:
On Tue, 2006-04-25 at 16:42 +0530, Prasad wrote:
back to the thread, two things first:
What is the use of your dongle if it gets stolen? The *real* issue is not about the certs. It is about the software that allows you to access those very certs. Ipso facto, quite a few providers give users additional software that keeps the private keys encrypted (mostly symmetric in nature). Again, there are industry standard ways to do this.
well, its not my dongle ;) the browsers use the PKCS11 interfaces to interact with hardware tokens for certificates. The hardware tokens never give out the private key, hence irrespective of how safe the application is, the certificate private key is safe. You could then use the hardware token without any worries even at a internet center (untrusted systems). Its a tradeoff between losing your hardware token (it is still password protected) and losing your private key!
I remember the TCS people telling us that the dongle is protected with a PIN type password (similar to those used in atm cards ?). Also that if you loose the dongle, you have to immediately call TCS who will then withdraw the certificate. So if the certificate is withdrawn, then anyone using it after it is withdrawn also does not benefit. You are also required to inform the MCA that you are replacing your digital certificate.
Ofcourse, you will need to pay TCS Rs. 2075 for another digital certificate. But that is fair and a punishment for being careless with your equipment. Are you going to do things like that with your credit card ? If you dont lose your credit card, why will you want to lose your Digital Certificate Token.
The question is... does TCS follow the standards? Is the software secure? Whether or not they provide sources of this software, on most systems strcpy() still causes a lot of pain and anguish. And is this software compatible with GNU/Linux, BSDs and a host of other OSs out there.
TCS does follow standards. As long as the private key is in a hardware token, irrespective of how secure your operating system or application is, the private key is safe and secure. I would be the first to party if TCS releases the source-code of these applications... but am not sure if they would. There definitely are software compatible with GNU/Linux and other free operating systems - mostly based either on OpenSSL or on Mozilla NSS.
Another important question is... can I generate my own cert and get it signed by TCS? In case I do not want the dongle? Dongle only certs is a stupid way of doing things.
I think you can. As far as I remember, the system generates the certificate request on the client browser - which is on the user side. There probably is also a way to put in your request directly into a form (I saw it somewhere, not sure if it was on TCS-CA)
Prasad, I'll be glad if you could point me to the right person inside TCS so that these questions get answered.
Well, not sure if I can give you any email-ids, but you should still be able to find some kind of contact information on http://www.tcs-ca.tcs.co.in/
What concerns me more is the level of ignorance of the people who will be using these tools! During the hey-days of email, I had seen a highly-placed government stooge who would distribute his password with his email. He thought, only people with the password can send him email.
What's worse? One of my friends has a letter from VSNL dating back to when TCP/IP connections were just introduced in India. It said that the IP addresses of their DNS servers were a national secret and won't be revealed under any circumstances.
On one hand what is happening is good from an e-governance POV. But according to my history books, Indian technology users are really bad at coping with technological changes. The only solution is easier to use tools and good fundamental education.
Well, the ignorance of end-users is one probable reason why they need hardware tokens and not certificates stored in browsers/system. People rarely are aware of the security risks when they browse internet or do banking transactions on public machines :(
Prasad