Difference between revisions of "Globus-PKCS11"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 18: Line 18:
 
** Using Mozilla's [http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html security module database] (including install script)
 
** Using Mozilla's [http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html security module database] (including install script)
 
** [http://docs.sun.com/source/816-6149-10/jimpkcs.htm Using the JAR Installation Manager] with NSS / Netscape
 
** [http://docs.sun.com/source/816-6149-10/jimpkcs.htm Using the JAR Installation Manager] with NSS / Netscape
** [https://addons.mozilla.org/en-US/firefox/addon/51744/ Belgium eID Firefox Extension]
+
** [https://addons.mozilla.org/en-US/firefox/addon/51744/ Belgium eID Firefox Extension], and a related [http://code.google.com/p/eid-javascript-lib/ javascript library]
 
* Related work
 
* Related work
 
** [http://www.iaeng.org/publication/IMECS2009/IMECS2009%20pp969-973.pdf Proxy certificate generation in the browser]
 
** [http://www.iaeng.org/publication/IMECS2009/IMECS2009%20pp969-973.pdf Proxy certificate generation in the browser]
 
** [http://sconnect.com/ SConnect]: [http://w2spconf.com/2009/papers/s4p4.pdf A Browser-Based Approach to Smart Card Connectivity]
 
** [http://sconnect.com/ SConnect]: [http://w2spconf.com/2009/papers/s4p4.pdf A Browser-Based Approach to Smart Card Connectivity]

Revision as of 08:31, 19 October 2010

One of the pain points of using the grid is certificate management. At the DutchGrid Certificate Authority we have introduced jGridstart to make this a much more smooth experience. This has taken the approach to generate a Globus-type certificate first, and then import that into the browser.

Now that certificates can be obtained from an online service (no need to wait for three days anymore), the certificate is generated inside the browser. So another way to link the Globus- and browser-certificate is needed. (Note that it was attempted to integrate jGridstart into the online portal, but some security measures made this not as smooth as intended.)

A promising solution is to use a software PKCS#11 module in the browser that works on Globus-type certificates. A good start is to use soft-pkcs11 which operates on PEM files directly. The following issues still need to be faced:

  • Use Globus-type certificates automatically (using environment/defaults) (done)
  • Don't require loading at module load but in session (so external updates can happen)
  • Add key-generation functionality so key/certificate can be generated from browser
  • Address the question how to handle the old certificate when a new one is being generated
  • Make sure it builds on other platforms
  • Smooth installation on multiple platforms and web browsers

Links