Information Technology Reference
In-Depth Information
solution that gives a truly large community of users a solution, however simple. Many
enterprises did spend money on in-trusts, but I do not know if many organisations
actually use it extensively. Yes, there are various organisations that have maybe a
hundred users, maybe a thousand, maybe more. I do not know if many organisations
really have thirty thousand people using an in-trust system on a daily basis. It is not
anything specific to in-trust as this is true for all PKI vendors and it is also true for AR as
we have been in this business and have provided similar solutions in the past. The
traditional PKI approach is just too complicated even for restricted use within an
organisation. And I think that reality speaks for itself. I think that those in this business
knew that 1998 was going to be the PKI year, then 1999, then 2000 and that was
definitely going to be the PKI year. Now at the end of 2003 all I can see is that the
various statements that were made were made for a good reason. Because I do not
believe that you can set up a decent security system without using PKI; it is impossible to
have a true secured system without it being based on PKI technology. And this is why
the professionals say there is no alternative. We will have to find a way of using PKI if
we want security. I claim that the current way that this is organised is still a little bit
more complicated than people are willing to work with. As far as Microsoft goes we
were in Redmond working very closely with the company. Microsoft really liked our
solution and issued a PR that talks about how wonderful they think we are. It is true that
you can use various Microsoft components to set up a PKI system. You can set up a
Windows 2000 server and use various profile managers. You can sit there and you can
connect a number of components together and you can even deliver something to the
customer.
First of all, you still need to be a very capable integrator. Secondly, you do not
actually completely do everything that you expected to do. And thirdly, it does not solve
the main problem of whether or not you really manage the keys for your users in a
secured and convenient manner. This problem is not properly addressed in my opinion.
Stanley
: There is still this issue of authentication integrity. Digital signature is one of
the main points of non-repudiation and the main focus of EU legislation in secured
signature creation device is the proof that you have this private key as a token. You say
you protect the key in your device but you also let it be used in a password so it is not
protected at the end of the day. You said we could use smart card biometrics.
Aharoni
: First of all, even if you use a smart card-based solution, I can still forge
your signature; true professionals know how to do it. It is very easy. If I know you have
a smart card in your machine I can still change what your application sends to the smart
card and sign whatever I want. So a not too sophisticated virus that even I can write
myself can defraud systems no matter how strong you make them. The only solution is
that the issue of the virus and the various things you can install on your machine, have to
be addressed from a protection point of view in industry. Industry has to regard this as a
serious enough threat; no matter how secure you set up your in-trust or whatever system,
I can still fool it very easily. One way of perhaps overcoming this is to go through what
people call today the trusted platform solution. We were involved in 1991 with a very
large project with Deutsche Bank that ended up failing but the intentions were very good.
What we built for them was a system where every single application that runs in your PC
had to be signed, the signature being verified by the operating system. And you can not
install or include any operation; no component can be downloaded or installed in your
Search WWH ::
Custom Search