[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Authentication Mechanism Matrix (was L2TP vs IPSEC)
>> OK, let me try another example, If I have a smartcard that has my key
>> pair, and my certificate, and I carry it around, and plug it into a
>> computer in an Internet Cafe, does that mean that now we are
>> authenticating the machine in the Internet Cafe!
>No. Here the machine is trusted implicitly. Any kiosk that I control
>(I'm a hypothetical evil entity) can abuse your card to secretly buy
>my Mom some flowers, in addition to completing your transaction.
>No crypto protocol helps here. This problem is out of our scope.
It seems the card holder trusted the machine, this does not imply
the receipent host should do likewise. Deere & Company would like very much
to have a high degree of assurance the machine is Deere owned and configured
prior to authorizing a connection. Something like a cert tied to a unique
characteristic of the machine?? Buying flowers is one thing, downloading
corporate secrets to a foreign system is another.
Deere & Company