Client Authentication

Doug Hardie bc979 at
Sun Mar 24 08:33:17 UTC 2013

On 24 March 2013, at 01:22, Polytropon <freebsd at> wrote:

> Wouldn't there be a possibility to combine key _and_ password?
> The key shouldn't have to be removed, but it should only work
> with a password (which again is kept individual to each user).
> The process has to be made "more uncomfortable" to be secure,
> i. e., the password should _not_ be stored, instead it _has_
> to be entered every time the secure connection is to be used.
> If a different user gets his hands on a running session (in
> terms of user-separation or profiles on a particular machine),
> he won't be able to do anything with mail as he does not know
> the password, and the password will not be automatically
> provided for the sake of being "less complicated".
> I don't know your particular end user machine settings, so this
> is just a broad suggestion. Many things in this idea depend on
> what software the client systems use, and how this software
> actually deals with security-related settings and procedures.

The p12 format certificate includes the key and both are encrypted.  This seems like the best distribution format.  From what I have read most browsers can handle this distribution format since it is used in smart cards.  However, on Safari, at least, when you import the certificate you have to enter the encryption key for the certificate and key.  Then those are stored in the keychain (without any additional reference to that encryption key).  They than can be used by anyone on that machine.  It kind of defeats all the effort for security up to that point.

DoD addresses this issue by somehow making the certificate not be imported into the keychain, but retained on the smart card only.  Pulling the card from the reader eliminates any future use of it.  Thats what I would like to achieve.

-- Doug

More information about the freebsd-questions mailing list