Fixing SSL (was Re: Dutch Transport Card Broken)

Thierry Moreau thierry.moreau at connotech.com
Mon Feb 18 14:05:15 EST 2008 


Leichter, Jerry wrote:

> While trying to find something else, I came across the following
> reference:
> 
> 	Title:   Sender driven certification enrollment system
> 	Document Type and Number:  United States Patent 6651166
> 	Link to this page:  http://www.freepatentsonline.com/6651166.html
> 	Abstract:
> 	A sender driven certificate enrollment system and methods of its
> 	use are provided, in which a sender controls the generation of a
> 	digital certificate that is used to encrypt and send a document
> 	to a recipient in a secure manner. The sender compares
> 	previously stored recipient information to gathered information
> 	from the recipient. If the information matches, the sender
> 	transfers key generation software to the recipient, which
> 	produces the digital certificate, comprising a public and
> 	private key pair. The sender can then use the public key to
> 	encrypt and send the document to the recipient, wherein the
> 	recipient can use the matching private key to decrypt the
> 	document.
> 

Some feedback on the above security certificate issuance process.

At first, it seems neat. But then, looking at how it works in practice:

the client receives an e-mail notification soliciting him to click on a
HTML link and then enroll for a security certificate,

the client is solicited exactly like a phishing criminal would do, and

a java software utility downloaded from the web should not be allowed to
modify security-critical parameters on the local machine.


According to my records, this issuance process is nonetheless
representative of research directions for user enrollment, i.e. there
aren't too many other documented processes in this area.

Regards,


-- 

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list