1 |
On Tuesday 19 Jan 2016 17:46:27 Rich Freeman wrote: |
2 |
> On Tue, Jan 19, 2016 at 2:32 PM, Grant <emailgrant@×××××.com> wrote: |
3 |
> > I'm sorry, I meant can I lock down access to my web stuff so that a |
4 |
> > particular user can only come from a particular device (or from any |
5 |
> > device containing a key). |
6 |
> |
7 |
> It looks like this hasn't been widely implemented, but it looks like |
8 |
> they do have the ability to generate TPM-backed client certificates |
9 |
> which could then be used for authentication (and you can set a policy |
10 |
> to auto-authenticate using the certificate). It looks like you need |
11 |
> to use an extension to generate the key and csr, and load the |
12 |
> certificate. Google wrote an extension that does this for active |
13 |
> directory, but for any other certificate authority it looks like you |
14 |
> basically have to write your own (and probably publish it as FOSS). |
15 |
> |
16 |
> So, the idea would be that you'd provision the device and then log |
17 |
> into it. The device would auto-install the certificate installer and |
18 |
> then you'd run that extension to load a certificate and mark it for |
19 |
> use for all users on the device. Then any user on that device could |
20 |
> authenticate using the certificate. The key would be stored in the |
21 |
> TPM and would never leave the device, and wiping the device would |
22 |
> destroy the key. |
23 |
> |
24 |
> You mentioned GPG keys, and this stuff is all RSA-backed, but SSL |
25 |
> client certificates don't use GPG itself. All of this is FOSS as far |
26 |
> as I can tell. All browsers can load and use client certificates, but |
27 |
> the advantage of a chromebook is that the key can be generated by the |
28 |
> TPM and never leave it. |
29 |
|
30 |
You can use apache client authentication with SSL certificates only. Of |
31 |
course you will need to create a self-signed CA, which you will use to create |
32 |
the web server public/private key pair and also sign each client's certificate |
33 |
and upload it along with your CA certificate to the user's browser. This |
34 |
explains the principle: |
35 |
|
36 |
http://wiki.cacert.org/HELP/9 |
37 |
|
38 |
|
39 |
Ditto with the VPN connection - should you still want to use VPN. |
40 |
|
41 |
If a user certificate is lost of feared compromised, you revoke it with your |
42 |
CA and upload the CRL to the server. |
43 |
|
44 |
However, this won't do away with XSS, or other similar attack vectors if the |
45 |
users are not careful with their browsing habits. |
46 |
|
47 |
This won't resolve problems with lost laptops and the like either, so previous |
48 |
suggestions for disk encryption, or chromebooks apply, if this is a |
49 |
considerable risk with your users. |
50 |
-- |
51 |
Regards, |
52 |
Mick |