Difference between revisions of "Globus-PKCS11"
(add links) |
(→Usability: add possible improvements) |
||
| (12 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
* Make sure it builds on other platforms | * Make sure it builds on other platforms | ||
* Smooth installation on multiple platforms and web browsers | * Smooth installation on multiple platforms and web browsers | ||
| + | |||
| + | Unfortunately Windows doesn't support PKCS#11 but uses [http://en.wikipedia.org/wiki/Microsoft_CryptoAPI CryptoAPI] instead. So for Internet Explorer and other applications using the Windows keystore, a similar but different program will be required. | ||
| + | |||
| + | ==Usability== | ||
| + | A simple read-only prototype has proven not as usable as hoped. The PKCS#11 standard requires one to present a pin-code '''before''' accessing the certificate, so just to see which certificates are present requires the pin-code; in addition to this I have often had to enter both the pin-code _and_ the master password (in Firefox). So his may only be usable when a single certificate is present. And it doesn't integrate with the normal certificate store. | ||
| + | |||
| + | While in some cases this may be useful, I don't think it's a good approach in general. | ||
| + | |||
| + | Possible improvements: ask password only when accessing private key. This might be doable with the pin-code, or else using a separate password dialog. | ||
| + | |||
| + | Code can be found at [https://github.com/wvengen/globus-pkcs11 github]. | ||
==Links== | ==Links== | ||
| Line 18: | Line 29: | ||
** Using Mozilla's [http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html security module database] (including install script) | ** Using Mozilla's [http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html security module database] (including install script) | ||
** [http://docs.sun.com/source/816-6149-10/jimpkcs.htm Using the JAR Installation Manager] with NSS / Netscape | ** [http://docs.sun.com/source/816-6149-10/jimpkcs.htm Using the JAR Installation Manager] with NSS / Netscape | ||
| + | * Mac OS X and PKCS11 | ||
| + | ** [http://middleware.internet2.edu/pki06/proceedings/dinapoli-pkcs11-mac.pdf PKCS#11 and Mac OS X Keychain Integration] and the [http://ludovicrousseau.blogspot.com/2010/04/free-software-tokend-above-pkcs11-for.html software]. | ||
| + | * Related work | ||
| + | ** [http://www.iaeng.org/publication/IMECS2009/IMECS2009%20pp969-973.pdf Proxy certificate generation in the browser] | ||
| + | ** [http://sconnect.com/ SConnect]: [http://w2spconf.com/2009/papers/s4p4.pdf A Browser-Based Approach to Smart Card Connectivity] | ||
| + | ** [https://addons.mozilla.org/en-US/firefox/addon/51744/ Belgium eID Firefox Extension] ([http://code.google.com/p/eid-mw/source/browse/trunk/eid-mw/_src/eidmw/xpi/belgiumeid?r=46 source]), and a related [http://code.google.com/p/eid-javascript-lib/ javascript library] | ||
| + | ** [http://code.google.com/p/esteid EsteID] Estonian ID card software, including mozilla plugin for signing with javascript | ||
| + | ** OpenSC signer browser plugin ([http://git.debian.org/?p=pkg-opensc/opensc.git;a=tree;f=src/signer; source]) | ||
Latest revision as of 11:56, 3 May 2011
One of the pain points of using the grid is certificate management. At the DutchGrid Certificate Authority we have introduced jGridstart to make this a much more smooth experience. This has taken the approach to generate a Globus-type certificate first, and then import that into the browser.
Now that certificates can be obtained from an online service (no need to wait for three days anymore), the certificate is generated inside the browser. So another way to link the Globus- and browser-certificate is needed. (Note that it was attempted to integrate jGridstart into the online portal, but some security measures made this not as smooth as intended.)
A promising solution is to use a software PKCS#11 module in the browser that works on Globus-type certificates. A good start is to use soft-pkcs11 which operates on PEM files directly. The following issues still need to be faced:
- Use Globus-type certificates automatically (using environment/defaults) (done)
- Don't require loading at module load but in session (so external updates can happen)
- Add key-generation functionality so key/certificate can be generated from browser
- Address the question how to handle the old certificate when a new one is being generated
- Make sure it builds on other platforms
- Smooth installation on multiple platforms and web browsers
Unfortunately Windows doesn't support PKCS#11 but uses CryptoAPI instead. So for Internet Explorer and other applications using the Windows keystore, a similar but different program will be required.
Usability
A simple read-only prototype has proven not as usable as hoped. The PKCS#11 standard requires one to present a pin-code before accessing the certificate, so just to see which certificates are present requires the pin-code; in addition to this I have often had to enter both the pin-code _and_ the master password (in Firefox). So his may only be usable when a single certificate is present. And it doesn't integrate with the normal certificate store.
While in some cases this may be useful, I don't think it's a good approach in general.
Possible improvements: ask password only when accessing private key. This might be doable with the pin-code, or else using a separate password dialog.
Code can be found at github.
Links
- PKCS11 at CAcert
- Firefox PKCS11
- PKCS11 Module Installation on Firefox 3.5 and newer
- Using Mozilla's security module database (including install script)
- Using the JAR Installation Manager with NSS / Netscape
- Mac OS X and PKCS11
- Related work
- Proxy certificate generation in the browser
- SConnect: A Browser-Based Approach to Smart Card Connectivity
- Belgium eID Firefox Extension (source), and a related javascript library
- EsteID Estonian ID card software, including mozilla plugin for signing with javascript
- OpenSC signer browser plugin (source)
