Hi Patrik
Thanks for the quick response.
I totally agree on your point. Our associates often used to try others
certificate .So I want to remove that threat also by incorporating MAC
address also into the certificates apart from the existing set up.
Often Wimax CPE vendors used to bind the MAC along with the certificate so
that ones certificate cannot be installed to another CPE.
I want to remove the risk of certificate stealing. Of course I am usin CRL
for revoking. Still want to know any possibility of adding MAC also to
certificate
Regards
Anoop C
Access Network Engineering
Sify Technologies Ltd.
Chennai
Mobile: +91 - 9884015161
Xtn:2867
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
Sent: Wednesday, September 09, 2009 5:50 PM
To: openssl-users@openssl.org
Subject: Re: MAC address binding to the certificate
Hi there:
Anoop C wrote:
> Hi all
>
> I am using certificates generated by openssl for authenticating the
> WiFi useres using EAP-TLS 802.1x authentication.
> I would like to add MAC address of the user machines into each user
> certificates so that the certificates used by one machine cannot be used
in
> another machine/PC.
>
> Could anyone please help how to create certificate with MAC address
> binded to it.
>
I think that you may want to revisit your assumptions here - it is
rather trivial to spoof a MAC address, so basing your security on that
is not very good.
Besides, as long as the user has a valid certificate, why do you care
which machine they log in from? If you can't trust the holder of the
certificate to keep it safe, then you have a different set of issues
that MAC address binding will not save you from.
Have fun.
Patrick.
> Regards
> Anoop
>
>
>
> Get your world in your inbox!
>
> Mail, widgets, documents, spreadsheets, organizer and much more with your
Sifymail WIYI id!
> Log on to http://www.sify.com
>
> ********** DISCLAIMER **********
> Information contained and transmitted by this E-MAIL is proprietary to
> Sify Limited and is intended for use only by the individual or entity to
> which it is addressed, and may contain information that is privileged,
> confidential or exempt from disclosure under applicable law. If this is a
> forwarded message, the content of this E-MAIL may not have been sent with
> the authority of the Company. If you are not the intended recipient, an
> agent of the intended recipient or a person responsible for delivering
the
> information to the named recipient, you are notified that any use,
> distribution, transmission, printing, copying or dissemination of this
> information in any way or in any manner is strictly prohibited. If you
have
> received this communication in error, please delete this mail & notify us
> immediately at ad...@sifycorp.com
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.83/2353 - Release Date: 09/08/09
20:45:00
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
