On Wed, April 26, 2006 16:42, Amol Hatwar said:
On Tue, 2006-04-25 at 16:42 +0530, Prasad wrote:
back to the thread, two things first:
- I work in TCS, but am not here to defend it
Good!
- Starting this thread back only to solve the problems with digital
certificates issued by TCS-CA (I once worked on the digital cerficates and related tools support for GNU/Linux here).
Even better :).
We tested the digital certificates with Firefox and OpenSSL on GNU/Linux and they did work. While I have no information about what M$ windows tools and software are being distributed along with the USB token, but as far as I know all those tools also exist for GNU/Linux - atleast inside TCS ;)
Digital certs have to be standards based to be of any use... Make them on any OS, they'll be trusted as long as they are signed by a valid/popular/trusted CA.
Yes, I agree. The digital certificates have standards and TCS-CA follows them. The certificates work fine with firefox on GNU/Linux. I remember testing certificate request generation from inside firefox on GNU/Linux as well has using a smart-card to sign form data from firefox + GNU/Linux.
We normally associate the lack of awareness of issues like vendor lock-in and the philosophy of FOSS etc., with non-IT people. The sad truth is that even with the IT community, there are lots of people who are not aware of these issues - lots of them in big companies like TCS. The older have an excuse but there are a huge number of youngsters who are not aware too!
What is the use of your dongle if it gets stolen? The *real* issue is not about the certs. It is about the software that allows you to access those very certs. Ipso facto, quite a few providers give users additional software that keeps the private keys encrypted (mostly symmetric in nature). Again, there are industry standard ways to do this.
well, its not my dongle ;) the browsers use the PKCS11 interfaces to interact with hardware tokens for certificates. The hardware tokens never give out the private key, hence irrespective of how safe the application is, the certificate private key is safe. You could then use the hardware token without any worries even at a internet center (untrusted systems). Its a tradeoff between losing your hardware token (it is still password protected) and losing your private key!
The question is... does TCS follow the standards? Is the software secure? Whether or not they provide sources of this software, on most systems strcpy() still causes a lot of pain and anguish. And is this software compatible with GNU/Linux, BSDs and a host of other OSs out there.
TCS does follow standards. As long as the private key is in a hardware token, irrespective of how secure your operating system or application is, the private key is safe and secure. I would be the first to party if TCS releases the source-code of these applications... but am not sure if they would. There definitely are software compatible with GNU/Linux and other free operating systems - mostly based either on OpenSSL or on Mozilla NSS.
Another important question is... can I generate my own cert and get it signed by TCS? In case I do not want the dongle? Dongle only certs is a stupid way of doing things.
I think you can. As far as I remember, the system generates the certificate request on the client browser - which is on the user side. There probably is also a way to put in your request directly into a form (I saw it somewhere, not sure if it was on TCS-CA)
Prasad, I'll be glad if you could point me to the right person inside TCS so that these questions get answered.
Well, not sure if I can give you any email-ids, but you should still be able to find some kind of contact information on http://www.tcs-ca.tcs.co.in/
What concerns me more is the level of ignorance of the people who will be using these tools! During the hey-days of email, I had seen a highly-placed government stooge who would distribute his password with his email. He thought, only people with the password can send him email.
What's worse? One of my friends has a letter from VSNL dating back to when TCP/IP connections were just introduced in India. It said that the IP addresses of their DNS servers were a national secret and won't be revealed under any circumstances.
On one hand what is happening is good from an e-governance POV. But according to my history books, Indian technology users are really bad at coping with technological changes. The only solution is easier to use tools and good fundamental education.
Well, the ignorance of end-users is one probable reason why they need hardware tokens and not certificates stored in browsers/system. People rarely are aware of the security risks when they browse internet or do banking transactions on public machines :(
Prasad