RE: Secure web site access and PKI Certs

["Joshua Berry" <jberry () PENSON COM>]

In this case you would want the certificate created under the Domain
users account, not a local user on the pc.  That way you have to
authenticate to the domain, and that password cannot be changed with a
bootup disk.

-----Original Message-----
From: Justin Roysdon [mailto:justin () roysdon net] 
Sent: Wednesday, April 27, 2005 10:24 PM
To: Keenan Smith; security-basics () securityfocus com
Subject: Re: Secure web site access and PKI Certs

Last I checked, if someone has local access to your system, then it's
not 
very difficult to change your password (with a boot disk) and then
proceed 
to login as your user.  It sounds like a poor way to authenticate.
The benefit of the seperate authentication is lost.

Crypto Geek



---------- Original Message -----------
From: "Keenan Smith" <kc_smith () clark net>
To: <security-basics () securityfocus com>
Sent: Wed, 27 Apr 2005 11:12:02 -0400
Subject: Secure web site access and PKI Certs

> All,
>
> I have access to a secure web site.  It used to require a PKI Cert to
> identify the user and then a standard username/password login to
> authenticate.
>
> Recently a change was made to the site that allows the supplying of a
> PKI Subject CN Fragment to a user "profile" on the site.  In this 
> case, the certificate not only identifies the user but authenticates 
> as well.
>
> The end result is an "auto-login" feature that in effect, keeps me
> logged in all the time.  Anybody sitting at my machine and logged in 
> as me (Windows XP) can access the web site as me.
>
> At first glance this seems like it's a reasonable way to accomplish a
> secure access to the web site.  Installing the certificate as me 
> ties it to my profile and makes it unavailable to other users on my 
> machine and since the use of the certificate requires a user to 
> login as me, it moves the authentication piece from the web site to 
> the Windows domain.
>
> This seems to some extent like "security through obscurity" and also
> substituting convenience for security, an all-to-common problem.
>
> Since it's my security-cleared neck on the line, I'd rather be too
> concerned rather than not concerned enough.
>
> So I'm asking the collective wisdom of the list to consider.  Is 
> PKI's single sign-on capability reasonable?  Is this implementation 
adequate?
> Thoughts?  Opinions?  Critiques?
>
> Thanks
> Keenan Smith
------- End of Original Message -------