One of the problems, and the reason everyone is offering alternate
suggestions, is the additional control resides on the user's computer, and
can potentially be examined, scrutinized, changed, copied, or deleted by the
user. For instance, if a user has "admin rights" to their machine, all bets
are off, it is just like signing on with *SECOFR class; they can do whatever
they desire to the machine.
"Obviously" this can be somewhat secured with group policy or whatnot.
How about some other items that may be less subject to change than an INI
file?
* MAC address (can be cloned or changed)
* Machine name / DNS name of client (can be changed)
* Client certificates, machine specific.
Another idea is machine specific PKI. Now this is something that could be on
the user's machine, but if changed would render useless any application
control.
This is a problem many people (and vendors) have tried to resolve with
differing levels of success. Personally, some kind of machine specific key
(PKI, or SHA-1 hash of some information *that can be indepently duplicated
and verfiied*) seems like a better idea.
For example, take a SHA-1 hash of the user's *assigned* IP address, MAC
address, and machine/DNS name. Store that in the database (server). Assuming
(I know a big IF) this information is available during the 5250 signon
process, the i5/OS can dynamically calculate the hash. You could store the
hash on the PC, but it would only be a *verification* not a *validity*
mechanism.
I don't have a good answer for this. Any time you store something on the
user's machine, consider it suspect!!
--Loyd
On Mon, Jun 15, 2009 at 12:16 PM, Chamara Withanachchi
<chamaraw@xxxxxxxxxx>wrote:
Ip + this pc based .ini file or access pc register
.Ini file contains a unique key for the pc
Then I have dual control.
midrange.com
