Keenan,
If the PKI certificate is installed on the local
machine with the "Enable Strong Private Key
Protection..." checked, a password will be required
each time the certificate is used. This will provide
additional security for Single Sign On to PKI enabled
web sites.
--- Keenan Smith <kc_smith@clark.net> wrote:
All,
I have access to a secure web site. It used to
require a PKI Cert to
identify the user and then a standard
username/password login to
authenticate.
Recently a change was made to the site that allows
the supplying of a
PKI Subject CN Fragment to a user "profile" on the
site. In this case,
the certificate not only identifies the user but
authenticates as well.
The end result is an "auto-login" feature that in
effect, keeps me
logged in all the time. Anybody sitting at my
machine and logged in as
me (Windows XP) can access the web site as me.
At first glance this seems like it's a reasonable
way to accomplish a
secure access to the web site. Installing the
certificate as me ties it
to my profile and makes it unavailable to other
users on my machine and
since the use of the certificate requires a user to
login as me, it
moves the authentication piece from the web site to
the Windows domain.
This seems to some extent like "security through
obscurity" and also
substituting convenience for security, an
all-to-common problem.
Since it's my security-cleared neck on the line, I'd
rather be too
concerned rather than not concerned enough.
So I'm asking the collective wisdom of the list to
consider. Is PKI's
single sign-on capability reasonable? Is this
implementation adequate?
Thoughts? Opinions? Critiques?
Thanks
Keenan Smith
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
