Denis, You have already made the appropriate leap to this conclusion. I was going to suggest that there is something atypical about your application architecture if you're relying on authentication of the *machine* without the use of a hardware token - such as a smartcard, TPM chip, etc.
What you want are FIPS 140-2 Level 2 (or above) certified crypto tokens that generate keys on-board and store the certificate of the user on the token (in addition to the browser). The private key, however, never leaves the token, thus ensuring its security. Once your customers are issued these tokens with their personal certificates, they can use it on any PC they desire (assuming that the PC has been configured with the appropriate CA cert- chain). If you absolutely need to rely on authenticating the PC, then the only option you have is the TPM chip, because it is built with the chip on the motherboard by the manufacturer. As an aside, StrongAuth, Inc., the company I represent has been in the business of architecting, building & operating some of the largest closed-PKIs in the world for enterprises, with the use of crypto-tokens. Most recently, we built a PKI for a bio-technology company that embedded secure processors with digital certificates into three different parts of their product, so that they may strongly authenticate to each other before being used. This was designed to deter counterfeiters from cloning the consumable part of their product. The device is currently awaiting FDA approval before coming to market. Feel free to get in touch with us, if we can be of any help to you. Arshad Noor StrongAuth, Inc. Denis McCarthy wrote:
Thanks for the suggestion David. Unfortunately we are not connecting to an active directory domain - our application has to go out over the internet. I did a bit of fiddling with the certificates snap ins, but Microsoft only makes certificates installed in the user account available to IE. One other thing I've been mulling over - is it possible to get a cheap piece of hardware (i.e. a dongle of some sort) that you can put an X509 certificate on? If so, could anyone point me in the direction of a company that provides such a product? Regards Denis
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto