1 / 11

Enhancing X.509 Management with PKCS#11: Streamlined Credential Access and Security

This paper explores the benefits of using PKCS#11 for improved management of X.509 certificates. By providing a standardized API for security devices, both hardware (smartcards) and software (soft tokens), PKCS#11 simplifies credential access across various applications, including Firefox and Thunderbird. It addresses use cases like a single, unified credentials repository, remote access to credentials, and the effective management of trusted anchors. The paper ultimately advocates for the adoption of PKCS#11 to enhance user experience and security in credential handling for diverse applications.

marika
Download Presentation

Enhancing X.509 Management with PKCS#11: Streamlined Credential Access and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET EGI TF 2011

  2. PKCS11 • Widely accepted standard to accesssecuritydevices • A general API hidingimplementationdetailsoftheactualtoken • HW (smartcards), SW (soft token) • Usuallyconfiguredat run time • Supported by widerangeofapplications

  3. Use-cases to Address • Single credentials repository on a desktop • A remotely available credentials • Management of IGTF anchors

  4. Desktop credentials locations • Users are often required to handle fileswithcerts • One repository for all applications • A single place to secure and manage • Mozilla‘s NSS • soft token PKCS11available with every Firefox/Thunderbird installation • We’re on grid though

  5. NSS for VOMS • Vomswith PKCS11 support should be part of EMI2 • Seamlessaccess to browsercredentials • for users with e.g. TCS credentials • Creds do not need to bestored in files

  6. IGTF Anchors

  7. IGTFAnchors • PKCS11 tokenproviding a list ofCAsanddescribingthey trust level • Interface to local ca directory • /etc/grid-security/certificates • Populated and maintained either manually or by a package (Debian, Ubuntu, …)

  8. MyProxy PKCS11 • Access to credentials in Myproxy server • Credentialsmustbeloadedbefore • Usable by any PKCS11-enabledapplication • Thunderbird, browsers, VPN clients • voms-proxy-init • Creds aren’t stored in the application

  9. Remote Smart Card • Two modes possible • Smart card • Full support of PKCS11 abstraction • Requires changes on the MyProxy server • Repository • Simpler, less secure (creds are transmitted to the client) • No server modifications

  10. Conclusions • PKCS11 modules to improveusers‘ experience • Support in any PKCS11 applications • Not gridspecific • Available from http://www.metacentrum.cz/en/about/devel/

More Related