Globus-PKCS11

From PDP/Grid Wiki
Jump to navigationJump to search

One of the pain points of using the grid is certificate management. At the DutchGrid Certificate Authority we have introduced jGridstart to make this a much more smooth experience. This has taken the approach to generate a Globus-type certificate first, and then import that into the browser.

Now that certificates can be obtained from an online service (no need to wait for three days anymore), the certificate is generated inside the browser. So another way to link the Globus- and browser-certificate is needed. (Note that it was attempted to integrate jGridstart into the online portal, but some security measures made this not as smooth as intended.)

A promising solution is to use a software PKCS#11 module in the browser that works on Globus-type certificates. A good start is to use soft-pkcs11 which operates on PEM files directly. The following issues still need to be faced:

  • Use Globus-type certificates automatically (using environment/defaults) (done)
  • Don't require loading at module load but in session (so external updates can happen)
  • Add key-generation functionality so key/certificate can be generated from browser
  • Address the question how to handle the old certificate when a new one is being generated
  • Make sure it builds on other platforms
  • Smooth installation on multiple platforms and web browsers

Unfortunately Windows doesn't support PKCS#11 but uses CryptoAPI instead. So for Internet Explorer and other applications using the Windows keystore, a similar but different program will be required.

Usability

A simple read-only prototype has proven not as usable as hoped. The PKCS#11 standard requires one to present a pin-code before accessing the certificate, so just to see which certificates are present requires the pin-code; in addition to this I have often had to enter both the pin-code _and_ the master password (in Firefox). So his may only be usable when a single certificate is present. And it doesn't integrate with the normal certificate store.

While in some cases this may be useful, I don't think it's a good approach in general.

Possible improvements: ask password only when accessing private key. This might be doable with the pin-code, or else using a separate password dialog.

Code can be found at github.

Links