Difference between revisions of "Globus-PKCS11"

From PDP/Grid Wiki
Jump to navigationJump to search
(initial version)
 
(→‎Usability: add possible improvements)
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
One of the paint points of using the grid is certificate management. At the [http://ca.dutchgrid.nl/ DutchGrid Certificate Authority] we have introduced [http://jgridstart.nikhef.nl/ jGridstart] to make this a much more smooth experience. This has taken the approach to generate a Globus-type certificate first, and then import that into the browser.
+
One of the pain points of using the grid is certificate management. At the [http://ca.dutchgrid.nl/ DutchGrid Certificate Authority] we have introduced [http://jgridstart.nikhef.nl/ jGridstart] to make this a much more smooth experience. This has taken the approach to generate a Globus-type certificate first, and then import that into the browser.
  
 
Now that certificates can be obtained from an [http://ca.dutchgrid.nl/tcs-forward/ online service] (no need to wait for three days anymore), the certificate is generated inside the browser. So another way to link the Globus- and browser-certificate is needed. (Note that it was attempted to integrate jGridstart into the online portal, but some security measures made this not as smooth as intended.)
 
Now that certificates can be obtained from an [http://ca.dutchgrid.nl/tcs-forward/ online service] (no need to wait for three days anymore), the certificate is generated inside the browser. So another way to link the Globus- and browser-certificate is needed. (Note that it was attempted to integrate jGridstart into the online portal, but some security measures made this not as smooth as intended.)
Line 11: Line 11:
 
* Make sure it builds on other platforms
 
* Make sure it builds on other platforms
 
* Smooth installation on multiple platforms and web browsers
 
* Smooth installation on multiple platforms and web browsers
 +
 +
Unfortunately Windows doesn't support PKCS#11 but uses [http://en.wikipedia.org/wiki/Microsoft_CryptoAPI CryptoAPI] instead. So for Internet Explorer and other applications using the Windows keystore, a similar but different program will be required.
 +
 +
==Usability==
 +
A simple read-only prototype has proven not as usable as hoped. The PKCS#11 standard requires one to present a pin-code '''before''' accessing the certificate, so just to see which certificates are present requires the pin-code; in addition to this I have often had to enter both the pin-code _and_ the master password (in Firefox). So his may only be usable when a single certificate is present. And it doesn't integrate with the normal certificate store.
 +
 +
While in some cases this may be useful, I don't think it's a good approach in general.
 +
 +
Possible improvements: ask password only when accessing private key. This might be doable with the pin-code, or else using a separate password dialog.
 +
 +
Code can be found at [https://github.com/wvengen/globus-pkcs11 github].
 +
 +
==Links==
 +
* [http://wiki.cacert.org/Pkcs11TaskForce PKCS11 at CAcert]
 +
* Firefox PKCS11
 +
** [https://developer.mozilla.org/en/PKCS11_Module_Installation PKCS11 Module Installation] on Firefox 3.5 and newer
 +
** Using Mozilla's [http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html security module database] (including install script)
 +
** [http://docs.sun.com/source/816-6149-10/jimpkcs.htm Using the JAR Installation Manager] with NSS / Netscape
 +
* Mac OS X and PKCS11
 +
** [http://middleware.internet2.edu/pki06/proceedings/dinapoli-pkcs11-mac.pdf PKCS#11 and Mac OS X Keychain Integration] and the [http://ludovicrousseau.blogspot.com/2010/04/free-software-tokend-above-pkcs11-for.html software].
 +
* Related work
 +
** [http://www.iaeng.org/publication/IMECS2009/IMECS2009%20pp969-973.pdf Proxy certificate generation in the browser]
 +
** [http://sconnect.com/ SConnect]: [http://w2spconf.com/2009/papers/s4p4.pdf A Browser-Based Approach to Smart Card Connectivity]
 +
** [https://addons.mozilla.org/en-US/firefox/addon/51744/ Belgium eID Firefox Extension] ([http://code.google.com/p/eid-mw/source/browse/trunk/eid-mw/_src/eidmw/xpi/belgiumeid?r=46 source]), and a related [http://code.google.com/p/eid-javascript-lib/ javascript library]
 +
** [http://code.google.com/p/esteid EsteID] Estonian ID card software, including mozilla plugin for signing with javascript
 +
** OpenSC signer browser plugin ([http://git.debian.org/?p=pkg-opensc/opensc.git;a=tree;f=src/signer; source])

Latest revision as of 09:56, 3 May 2011

One of the pain points of using the grid is certificate management. At the DutchGrid Certificate Authority we have introduced jGridstart to make this a much more smooth experience. This has taken the approach to generate a Globus-type certificate first, and then import that into the browser.

Now that certificates can be obtained from an online service (no need to wait for three days anymore), the certificate is generated inside the browser. So another way to link the Globus- and browser-certificate is needed. (Note that it was attempted to integrate jGridstart into the online portal, but some security measures made this not as smooth as intended.)

A promising solution is to use a software PKCS#11 module in the browser that works on Globus-type certificates. A good start is to use soft-pkcs11 which operates on PEM files directly. The following issues still need to be faced:

  • Use Globus-type certificates automatically (using environment/defaults) (done)
  • Don't require loading at module load but in session (so external updates can happen)
  • Add key-generation functionality so key/certificate can be generated from browser
  • Address the question how to handle the old certificate when a new one is being generated
  • Make sure it builds on other platforms
  • Smooth installation on multiple platforms and web browsers

Unfortunately Windows doesn't support PKCS#11 but uses CryptoAPI instead. So for Internet Explorer and other applications using the Windows keystore, a similar but different program will be required.

Usability

A simple read-only prototype has proven not as usable as hoped. The PKCS#11 standard requires one to present a pin-code before accessing the certificate, so just to see which certificates are present requires the pin-code; in addition to this I have often had to enter both the pin-code _and_ the master password (in Firefox). So his may only be usable when a single certificate is present. And it doesn't integrate with the normal certificate store.

While in some cases this may be useful, I don't think it's a good approach in general.

Possible improvements: ask password only when accessing private key. This might be doable with the pin-code, or else using a separate password dialog.

Code can be found at github.

Links