[prev in list] [next in list] [prev in thread] [next in thread]
List: mozilla-crypto
Subject: PKCS#11 - Transient Certificates/Keys
From: Jon Maber <jonmaber () bodington ! org>
Date: 2003-11-19 12:42:01
[Download RAW message or body]
I have a use case relating to authentication and I wonder if anyone can
advise me whether it can be implemented with the NSS internal PKCS#11
Module + the software security device or if it might require the coding
of a new security device.
We have a number of web sites that our users need to authenticate to and
they may need to access several during a single web browsing session. It
may be immpossible for all the web sites to access the same LDAP
directory and so X509.3 certificates seem a good way to handle
authentication. However, we have a major concern;
Users are likely to want to access the services from many different PCs
each of which may be used by many different users. It may therefore be
necessary for user certificates to be stored on a central server and
have the users collect them at the start of each session via a user name
+ password authentication, or to issue them with new, short lived
certificates at the start of every session. We would also like to use
some thin clients where the user doesn't have access rights to save
preferences to file.
We're concerned that users might store their certificates and keys on
the local hard disk with either no encryption or a poor choice of
password and we don't want to rely on managers of local area networks to
protect the files either. Use of portable devices to store keys is
really not viable for us. Most of all we want to avoid having to give
users a lot of complex advice about protecting their identity.
The question is this: is it possible for the server that issues/stores
user certificates to instruct the PKCS#11 Module not to store the
private key (or certificate) in any kind of persistent store? There are
two scenarios where we might want to apply this, 1) when the browser
generates a key pair - because we may choose to issue the user with a
very short lived certificate every time they log in. 2) when we deliver
the private key along with the certificate - because we may choose to
generate the key pair server side so we can create a long lived
certificate and simply reissue it. Of course we would also like to
avoid the need for a user to ever set a master password in the
browser.
I would appreciate comments on the use case and its possible
implementation. I'd especially like to hear from anyone who has already
implemented a solution for a similar scenario. I'm afraid the reality
is that most of our users will expect to use IE to access our web sites
but I suspect we'll make more progress working with Mozilla in the first
instance.
Jon Maber
bodington.org
The University of Leeds
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic