Hi Erik
I assume that you have a standalone software that you give to your customers and which can be used offline. The software then is under the complete control of your untrusted customer.
In that case, I do not see how you can avoid hardcoding the root cert in your code (or a thumbprint that you can use to verify that the root cert on the client side trust store is the one you used to sign the client cert)
If your self signed root cert is outside of your program, the untrusted customer can easily replace it by their own cert chain since everything in the customer environment other than the binary executable is in the customer control.
Ofcourse, if the customer is really determined he can always crack the binary, but as a minimum safegaurd i would think hardcoding the root cert in the program is necessary.
regards
Amol
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
I assume that you have a standalone software that you give to your customers and which can be used offline. The software then is under the complete control of your untrusted customer.
In that case, I do not see how you can avoid hardcoding the root cert in your code (or a thumbprint that you can use to verify that the root cert on the client side trust store is the one you used to sign the client cert)
If your self signed root cert is outside of your program, the untrusted customer can easily replace it by their own cert chain since everything in the customer environment other than the binary executable is in the customer control.
Ofcourse, if the customer is really determined he can always crack the binary, but as a minimum safegaurd i would think hardcoding the root cert in the program is necessary.
regards
Amol
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]