If I as a server use your client cert to authenticate you, I can be certain that you posses the private keys associated with your client cert.
If those keys are only stored in hardware that can't be read, then I am assured that you possess the physical hardware that holds the private keys (especially if those keys were generated by that hardware and never exposed). If the keys are not protected from a read, then they could be sprayed all over the Internet if the software were compromised. Not so if the keys were stored in hardware - you need to have the device and you can't impersonate it. On Thu, Sep 2, 2010 at 7:16 PM, Chris Stratton <[email protected]> wrote: > You wouldn't, you would just impersonate their authorised user, unless > there's a user password check required with user-annoying frequency. > > > On Sep 2, 8:52 pm, Jeff Enderwick <[email protected]> wrote: >> How would you extract the private keys from the TPM? >> >> >> >> On Thu, Sep 2, 2010 at 5:09 PM, Chris Palmer <[email protected]> wrote: >> >> TPM would allow you to securely store the private keys associated with >> >> a client cert. And IMO that is a pretty useful thing. Especially when >> >> there are official loads like this: >> >>http://grack.com/blog/2010/07/07/how-we-found-a-backdoor-in-sprints-e... >> >> > No, a TPM will not help you if an attack has rooted your system. >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Android Security Discussions" group. >> > To post to this group, send email to >> > [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/android-security-discuss?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
