[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)



>> OK, let me try another example, If I have a smartcard that has my key
>> pair, and my certificate, and I carry it around, and plug it into a
>> computer in an Internet Cafe, does that mean that now we are
>> authenticating the machine in the Internet Cafe!
>
>No.  Here the machine is trusted implicitly.  Any kiosk that I control
>(I'm a hypothetical evil entity) can abuse your card to secretly buy
>my Mom some flowers, in addition to completing your transaction.
>No crypto protocol helps here.  This problem is out of our scope.

	It seems the card holder trusted the machine, this does not imply
the receipent host should do likewise.  Deere & Company would like very much
to have a high degree of assurance the machine is Deere owned and configured
prior to authorizing a connection.  Something like a cert tied to a unique
characteristic of the machine??  Buying flowers is one thing, downloading
corporate secrets to a foreign system is another.

	Charlie Finney
	Technical Consultant
	Deere & Company