SmartCard Enabled Websites?
Is it possible to SmartCard enable a website? I've got a customer requiring that we support SmartCard devices - I was under the impression SmartCard website authentication happened at the workstation level using software to control user access to specific sites. Is this not the case? Is there actual code to integrate into an application to make it SmartCard aware? Thanks, Joshua Miller Head Programmer / IT Manager Garrison Enterprises Inc. www.garrisonenterprises.net http://www.garrisonenterprises.net/ [EMAIL PROTECTED] (704) 569-9044 ext. 254 * Any views expressed in this message are those of the individual sender, except where the sender states them to be the views of Garrison Enterprises Inc. This e-mail is intended only for the individual or entity to which it is addressed and contains information that is private and confidential. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying is strictly prohibited. If you have received this e-mail in error please delete it immediately and advise us by return e-mail to mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] * ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SmartCard Enabled Websites?
Is it possible to SmartCard enable a website? I've got a customer requiring that we support SmartCard devices - I was under the impression SmartCard website authentication happened at the workstation level using software to control user access to specific sites. Is this not the case? Is there actual code to integrate into an application to make it SmartCard aware? You can use smartcard authentication at the workstation level to control access to your web server, and to provide authorization for specific functionality within your application. RSA SecurID provides this sort of functionality: http://www.rsasecurity.com/products/securid/techspecs/windows.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SmartCard Enabled Websites?
Joshua Miller wrote: Is it possible to SmartCard enable a website? I've got a customer requiring that we support SmartCard devices - I was under the impression SmartCard website authentication happened at the workstation level using software to control user access to specific sites. Is this not the case? Is there actual code to integrate into an application to make it SmartCard aware? Thanks, Most smartcard readers can be configured to integrate with the browsers certificate store (look in mozilla under preferences - security provacy - SSL certificates you'll see a devices tab listed) and then if you configure your website to request a user certificate they can supply the smartcard as the carrier of this certificate so to say. It's all quite easy. Jesse ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: SmartCard Enabled Websites?
Joshua Miller wrote: Is it possible to SmartCard enable a website? I've got a customer requiring that we support SmartCard devices - I was under the impression SmartCard website authentication happened at the workstation level using software to control user access to specific sites. Is this not the case? Smartcard access control can be at any level you want. You can use it to control access to (wireless) networks (e.g. in conjunction with IEEE 802.1x), to computers (native in Windows 2000 and XP) and to websites. Is there actual code to integrate into an application to make it SmartCard aware? Smartcard is a rather broad description. According to some recent stats there are some 600 milion smartcards in circulation worldwide. 500 million of them are integrated in mobile phoness. Of the remaining 100 million, some 60 million are integrated into bank cards. The rest has some dedicated purpose, and is the type most people think about when they hear the word smartcard. The idea behind smartcards is that the security of just passwords depends on something what you know. And since people tend to forget that, they write it down on those little notes at the bottom of the screen. With a smartcard however, it depends on both something you know and something you have. Even if you know the password, you still can't get in without the smartcard. Eventually some biometric systems will be developed, so it will become possible to do the thing that we actually want, which is determine not what somebody knows or has, but who he is. But that will take some time. The dedicated type is probably what your customer has in mind. Typically they function by installing a client certificate on the smartcard that is then accessed by the browser (requires the user to type a password) and then the browser uses the client certificate to identify itself to the server. But I know that RSA is selling phone based systems as well, and for a ground-up rollout it is certainly worth investigating (smartcards are expensive, buying a mobile phone with one built-in is almost cheaper). I expect to have a site with smartcard authentication running by the end of next month using neither propietary hardware or propietary smartcards. It will be using mobile phones people already have and bankcards people already have (of the 60 million bank cards some 22 million are in the Netherlands, with a population of about 16 million). Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: SmartCard Enabled Websites?
Interesting stuff Jochem, I'm getting ready to write a fairly large VoiceXML application - you've given me something to chew on for that application. For the more immediate use, I will recommend only the hardware smartcard - I was thinking that was really the only way, but I guess there's a lot more to this technology than I imagined. Thanks, to everyone who replied, for the information! Joshua Miller Head Programmer / IT Manager Garrison Enterprises Inc. www.garrisonenterprises.net [EMAIL PROTECTED] (704) 569-9044 ext. 254 * Any views expressed in this message are those of the individual sender, except where the sender states them to be the views of Garrison Enterprises Inc. This e-mail is intended only for the individual or entity to which it is addressed and contains information that is private and confidential. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying is strictly prohibited. If you have received this e-mail in error please delete it immediately and advise us by return e-mail to [EMAIL PROTECTED] * -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 5:58 PM To: CF-Talk Subject: Re: SmartCard Enabled Websites? Joshua Miller wrote: Is it possible to SmartCard enable a website? I've got a customer requiring that we support SmartCard devices - I was under the impression SmartCard website authentication happened at the workstation level using software to control user access to specific sites. Is this not the case? Smartcard access control can be at any level you want. You can use it to control access to (wireless) networks (e.g. in conjunction with IEEE 802.1x), to computers (native in Windows 2000 and XP) and to websites. Is there actual code to integrate into an application to make it SmartCard aware? Smartcard is a rather broad description. According to some recent stats there are some 600 milion smartcards in circulation worldwide. 500 million of them are integrated in mobile phoness. Of the remaining 100 million, some 60 million are integrated into bank cards. The rest has some dedicated purpose, and is the type most people think about when they hear the word smartcard. The idea behind smartcards is that the security of just passwords depends on something what you know. And since people tend to forget that, they write it down on those little notes at the bottom of the screen. With a smartcard however, it depends on both something you know and something you have. Even if you know the password, you still can't get in without the smartcard. Eventually some biometric systems will be developed, so it will become possible to do the thing that we actually want, which is determine not what somebody knows or has, but who he is. But that will take some time. The dedicated type is probably what your customer has in mind. Typically they function by installing a client certificate on the smartcard that is then accessed by the browser (requires the user to type a password) and then the browser uses the client certificate to identify itself to the server. But I know that RSA is selling phone based systems as well, and for a ground-up rollout it is certainly worth investigating (smartcards are expensive, buying a mobile phone with one built-in is almost cheaper). I expect to have a site with smartcard authentication running by the end of next month using neither propietary hardware or propietary smartcards. It will be using mobile phones people already have and bankcards people already have (of the 60 million bank cards some 22 million are in the Netherlands, with a population of about 16 million). Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
