1 / 11

Improved X.509 Management Using PKCS11

Improved X.509 Management Using PKCS11. Daniel Kou ř il , Michal Proch á zka CESNET EGI TF 2011. PKCS11. Widely accepted standard to access security devices A general API hiding implementation details of the actual token HW ( smart cards ), SW (soft token )

marika
Download Presentation

Improved X.509 Management Using PKCS11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET EGI TF 2011

  2. PKCS11 • Widely accepted standard to accesssecuritydevices • A general API hidingimplementationdetailsoftheactualtoken • HW (smartcards), SW (soft token) • Usuallyconfiguredat run time • Supported by widerangeofapplications

  3. Use-cases to Address • Single credentials repository on a desktop • A remotely available credentials • Management of IGTF anchors

  4. Desktop credentials locations • Users are often required to handle fileswithcerts • One repository for all applications • A single place to secure and manage • Mozilla‘s NSS • soft token PKCS11available with every Firefox/Thunderbird installation • We’re on grid though

  5. NSS for VOMS • Vomswith PKCS11 support should be part of EMI2 • Seamlessaccess to browsercredentials • for users with e.g. TCS credentials • Creds do not need to bestored in files

  6. IGTF Anchors

  7. IGTFAnchors • PKCS11 tokenproviding a list ofCAsanddescribingthey trust level • Interface to local ca directory • /etc/grid-security/certificates • Populated and maintained either manually or by a package (Debian, Ubuntu, …)

  8. MyProxy PKCS11 • Access to credentials in Myproxy server • Credentialsmustbeloadedbefore • Usable by any PKCS11-enabledapplication • Thunderbird, browsers, VPN clients • voms-proxy-init • Creds aren’t stored in the application

  9. Remote Smart Card • Two modes possible • Smart card • Full support of PKCS11 abstraction • Requires changes on the MyProxy server • Repository • Simpler, less secure (creds are transmitted to the client) • No server modifications

  10. Conclusions • PKCS11 modules to improveusers‘ experience • Support in any PKCS11 applications • Not gridspecific • Available from http://www.metacentrum.cz/en/about/devel/

More Related