Hi Patrik Thanks for the quick response. I totally agree on your point. Our associates often used to try others certificate .So I want to remove that threat also by incorporating MAC address also into the certificates apart from the existing set up.
Often Wimax CPE vendors used to bind the MAC along with the certificate so that ones certificate cannot be installed to another CPE. I want to remove the risk of certificate stealing. Of course I am usin CRL for revoking. Still want to know any possibility of adding MAC also to certificate Regards Anoop C Access Network Engineering Sify Technologies Ltd. Chennai Mobile: +91 - 9884015161 Xtn:2867 -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Wednesday, September 09, 2009 5:50 PM To: openssl-users@openssl.org Subject: Re: MAC address binding to the certificate Hi there: Anoop C wrote: > Hi all > > I am using certificates generated by openssl for authenticating the > WiFi useres using EAP-TLS 802.1x authentication. > I would like to add MAC address of the user machines into each user > certificates so that the certificates used by one machine cannot be used in > another machine/PC. > > Could anyone please help how to create certificate with MAC address > binded to it. > I think that you may want to revisit your assumptions here - it is rather trivial to spoof a MAC address, so basing your security on that is not very good. Besides, as long as the user has a valid certificate, why do you care which machine they log in from? If you can't trust the holder of the certificate to keep it safe, then you have a different set of issues that MAC address binding will not save you from. Have fun. Patrick. > Regards > Anoop > > > > Get your world in your inbox! > > Mail, widgets, documents, spreadsheets, organizer and much more with your Sifymail WIYI id! > Log on to http://www.sify.com > > ********** DISCLAIMER ********** > Information contained and transmitted by this E-MAIL is proprietary to > Sify Limited and is intended for use only by the individual or entity to > which it is addressed, and may contain information that is privileged, > confidential or exempt from disclosure under applicable law. If this is a > forwarded message, the content of this E-MAIL may not have been sent with > the authority of the Company. If you are not the intended recipient, an > agent of the intended recipient or a person responsible for delivering the > information to the named recipient, you are notified that any use, > distribution, transmission, printing, copying or dissemination of this > information in any way or in any manner is strictly prohibited. If you have > received this communication in error, please delete this mail & notify us > immediately at ad...@sifycorp.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.83/2353 - Release Date: 09/08/09 20:45:00 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org