On 25/04/06 22:22 +0530, Saswata Banerjee & Associates wrote:

<snip>

Since I know very little about digital certificates, I thought the LUG, and people like Dr. Nagarjuna will be able to ensure it works properly and that we dont get locked out.

The law mandates certificates in the form of X.509 certificates. These are also used for https, smtps and any other form of TLS transactions.

The law is bad in that it mandates a tree of trust rather than a web of trust. However, Verisign has made significant $$$ with that model.

In addition, TCS is giving some software that will make it easier to manage the digital signing of documents and to use the digital signature / digital certificate for all other purposes (other than MCA-21). They have not demonstrated that software, they just mentioned it. When I asked the question specifically about linux and mac, they told me that it has been made on windows as most computers work on windows only.

OpenSSL should work fine for that.

If the software works on Linux, that is the best, if it does not, and there are alternate tools in linux which do the same thing, it is also acceptable. If the TCS reps and their partners inform people how they can get such features to work on Linux, it would be an added advantage. Ofcourse they didnt expect an accountant to come over and ask them about Linux and drivers....... :-)

The problem with tax filing is that the application uses Adobe forms which work in Windows only.

If this was just generating a PDF to specs, and then signing it, that would have been trivial to automate. TeX + OpenSSL make for good tools.

Devdas Bhagat

On Wed, April 26, 2006 16:42, Amol Hatwar said:

On Tue, 2006-04-25 at 16:42 +0530, Prasad wrote:

...

back to the thread, two things first:

1. I work in TCS, but am not here to defend it

Good!

...

2. Starting this thread back only to solve the problems with digital

certificates issued by TCS-CA (I once worked on the digital cerficates and related tools support for GNU/Linux here).

Even better :).

...

We tested the digital certificates with Firefox and OpenSSL on GNU/Linux and they did work. While I have no information about what M$ windows tools and software are being distributed along with the USB token, but as far as I know all those tools also exist for GNU/Linux - atleast inside TCS ;)

Digital certs have to be standards based to be of any use... Make them on any OS, they'll be trusted as long as they are signed by a valid/popular/trusted CA.

Yes, I agree. The digital certificates have standards and TCS-CA follows them. The certificates work fine with firefox on GNU/Linux. I remember testing certificate request generation from inside firefox on GNU/Linux as well has using a smart-card to sign form data from firefox + GNU/Linux.

...

We normally associate the lack of awareness of issues like vendor lock-in and the philosophy of FOSS etc., with non-IT people. The sad truth is that even with the IT community, there are lots of people who are not aware of these issues - lots of them in big companies like TCS. The older have an excuse but there are a huge number of youngsters who are not aware too!

What is the use of your dongle if it gets stolen? The *real* issue is not about the certs. It is about the software that allows you to access those very certs. Ipso facto, quite a few providers give users additional software that keeps the private keys encrypted (mostly symmetric in nature). Again, there are industry standard ways to do this.

well, its not my dongle ;) the browsers use the PKCS11 interfaces to interact with hardware tokens for certificates. The hardware tokens never give out the private key, hence irrespective of how safe the application is, the certificate private key is safe. You could then use the hardware token without any worries even at a internet center (untrusted systems). Its a tradeoff between losing your hardware token (it is still password protected) and losing your private key!

The question is... does TCS follow the standards? Is the software secure? Whether or not they provide sources of this software, on most systems strcpy() still causes a lot of pain and anguish. And is this software compatible with GNU/Linux, BSDs and a host of other OSs out there.

TCS does follow standards. As long as the private key is in a hardware token, irrespective of how secure your operating system or application is, the private key is safe and secure. I would be the first to party if TCS releases the source-code of these applications... but am not sure if they would. There definitely are software compatible with GNU/Linux and other free operating systems - mostly based either on OpenSSL or on Mozilla NSS.

Another important question is... can I generate my own cert and get it signed by TCS? In case I do not want the dongle? Dongle only certs is a stupid way of doing things.

I think you can. As far as I remember, the system generates the certificate request on the client browser - which is on the user side. There probably is also a way to put in your request directly into a form (I saw it somewhere, not sure if it was on TCS-CA)

Prasad, I'll be glad if you could point me to the right person inside TCS so that these questions get answered.

Well, not sure if I can give you any email-ids, but you should still be able to find some kind of contact information on http://www.tcs-ca.tcs.co.in/

What concerns me more is the level of ignorance of the people who will be using these tools! During the hey-days of email, I had seen a highly-placed government stooge who would distribute his password with his email. He thought, only people with the password can send him email.

What's worse? One of my friends has a letter from VSNL dating back to when TCP/IP connections were just introduced in India. It said that the IP addresses of their DNS servers were a national secret and won't be revealed under any circumstances.

On one hand what is happening is good from an e-governance POV. But according to my history books, Indian technology users are really bad at coping with technological changes. The only solution is easier to use tools and good fundamental education.

Well, the ignorance of end-users is one probable reason why they need hardware tokens and not certificates stored in browsers/system. People rarely are aware of the security risks when they browse internet or do banking transactions on public machines :(

Prasad

On Thu, 2006-04-27 at 21:57 +0530, Rony wrote:

On Thu, Apr 27, 2006 at 04:25:28PM +0530, Arun K. Khan wrote:

...

Further, I strongly disagree that similar justification can be applied to Govt. portals, that have been developed and funded with the Tax Payer's money and have a wide impact on the public. The Govt. _cannot_ _dictate_ to the public which specific browser (MSIE) or OS platform (Windows by inference) the user must have in order to engage in e-Governance transactions. It is tantamount to endorsement of a specific vendor and application.

Very true. I believe Prez. A P J Kalaam is in favour of open source, maybe he could be given a proper briefing to enable him to put pressure on other Govt. depts.

IIRC, Prez. Kalam has discussed his views favoring OSS with Bill Gates when he called on him during one of his visits to India but ... I guess his message gets diluted by the time it reaches the Govt. depts.

...

The vendors (most of them BIG IT houses of India) who develop such portals for the Govt. are equally responsible for such travesties. If the Govt. tender fails to identify standards and inter operable issues then they must "educate" the Govt. officials who manage these projects.

If the vendor does not know abc of programming in Linux, how will he promote anything other than what he knows and can support (M$). The govt. officlals too are ignorant of anything other than windows and internet explorer. In another mail, I will post some 'pearls of wisdom' of triband's tech support.

The high profile Govt. web sites are usually developed by one of the big IT houses of India. To the best of my knowledge all of them are Linux/OSS savvy. My point is, that whatever they do on the web server side should play with browsers other than IE on the client side. On the flip side a bad site implemented on Apache/Linux that does not work right on IE is equally appalling.

-- Arun Khan (knura at yahoo dot com) If A equals success, then the formula is _A = _X + _Y + _Z. _X is work. _Y is play. _Z is keep your mouth shut. -- Albert Einstein