1 |
On Tue, Jan 19, 2016 at 2:32 PM, Grant <emailgrant@×××××.com> wrote: |
2 |
> |
3 |
> I'm sorry, I meant can I lock down access to my web stuff so that a |
4 |
> particular user can only come from a particular device (or from any |
5 |
> device containing a key). |
6 |
> |
7 |
|
8 |
It looks like this hasn't been widely implemented, but it looks like |
9 |
they do have the ability to generate TPM-backed client certificates |
10 |
which could then be used for authentication (and you can set a policy |
11 |
to auto-authenticate using the certificate). It looks like you need |
12 |
to use an extension to generate the key and csr, and load the |
13 |
certificate. Google wrote an extension that does this for active |
14 |
directory, but for any other certificate authority it looks like you |
15 |
basically have to write your own (and probably publish it as FOSS). |
16 |
|
17 |
So, the idea would be that you'd provision the device and then log |
18 |
into it. The device would auto-install the certificate installer and |
19 |
then you'd run that extension to load a certificate and mark it for |
20 |
use for all users on the device. Then any user on that device could |
21 |
authenticate using the certificate. The key would be stored in the |
22 |
TPM and would never leave the device, and wiping the device would |
23 |
destroy the key. |
24 |
|
25 |
You mentioned GPG keys, and this stuff is all RSA-backed, but SSL |
26 |
client certificates don't use GPG itself. All of this is FOSS as far |
27 |
as I can tell. All browsers can load and use client certificates, but |
28 |
the advantage of a chromebook is that the key can be generated by the |
29 |
TPM and never leave it. |
30 |
|
31 |
-- |
32 |
Rich |