Hi Prabath, Hope u had a look at this
http://www.youtube.com/watch?v=SfMeKnch3YA On Mon, Aug 5, 2013 at 1:41 PM, Shanmugarajah Sinnathamby <[email protected]>wrote: > Hi Prabath , > > The challenge is a random number generated and associated with a user and > device. So when the SCEP request hits in, we check the Challenge and the > associated user device and a flag is set. > Also this gives a flexibility for the user to enroll 1 or more device, > since the challenge is for the device. > > Lets say the challenge is stolen by another user or same user, if he tries > to get the certificate using the same challenge, there is a validation > against the user and device. Do you think this can help us to secure ? . > If not what is the best method to overcome the SCEP vulnerability. > > > > > > On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena <[email protected]>wrote: > >> I guess user challenge it self is not enough.. We also need to validate >> the SCEP request.. >> >> Thanks & regards, >> -Prabath >> >> >> On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby <[email protected] >> > wrote: >> >>> Hi Prabath , >>> >>> Currently SCEP server is within the MDM domain itself . Where validation >>> will be done based on the user challenge before it gets passed to it. The >>> validation part is not done. >>> Also there is a performance issue in the time taken enroll a device , >>> Mayuran is working on that along with the validation. >>> >>> >>> >>> Thanks, >>> -Shan >>> >>> On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena <[email protected]>wrote: >>> >>>> Hi Dilshan, >>>> >>>> Have we considered passing the SCEP requests from the devices through >>>> the MDM and validate those.. There is a separate mail on that.. >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>> On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya >>>> <[email protected]>wrote: >>>> >>>>> Yes Prabath our MDM needs not to work as a SCEP server. Right now its >>>>> a separate WEBRick web server and the code is written in Ruby. SCEP server >>>>> can be any third party server like EJBCA etc. I had a offline discussion >>>>> with Azeez and came into a conclusion that the SCEP server part needs to >>>>> be >>>>> separated out to a web app written in Java. So any time it can be replaced >>>>> with anything. Ideally which I believe this part needs to be handle by IS >>>>> and MDM only communicate with it through the information provided at the >>>>> deployment time. >>>>> >>>>> Regards, >>>>> >>>>> Dilshan >>>>> >>>>> >>>>> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena >>>>> <[email protected]>wrote: >>>>> >>>>>> Just had a look at how this works with iOS [1].. >>>>>> >>>>>> I may be totally wrong (please correct me in that case) - I just went >>>>>> through the doc quickly.. >>>>>> >>>>>> In the Response from the MDM - it has the following.. Which in fact >>>>>> giving details to connect to a different SCEP server.. so our MDM needs >>>>>> not >>>>>> to work as a SCEP server.. >>>>>> >>>>>> <array> >>>>>> <dict> >>>>>> <key>PayloadContent</key> >>>>>> <dict> >>>>>> <key>URL</key> >>>>>> <string>https://scep.example.com/scep</string> >>>>>> <key>Name</key> >>>>>> <string>EnrollmentCAInstance</string> >>>>>> <key>Subject</key> >>>>>> <array> >>>>>> <array> >>>>>> <array> >>>>>> <string>O</string> >>>>>> <string>Example, Inc.</string> >>>>>> </array> >>>>>> </array> >>>>>> <array> >>>>>> <array> >>>>>> <string>CN</string> >>>>>> <string>User Device Cert</string> >>>>>> </array> >>>>>> </array> >>>>>> </array> >>>>>> <key>Challenge</key> >>>>>> <string>...</string> >>>>>> <key>Keysize</key> >>>>>> <integer>1024</integer> >>>>>> <key>Key Type</key> >>>>>> <string>RSA</string> >>>>>> <key>Key Usage</key> >>>>>> <integer>5</integer> >>>>>> </dict> >>>>>> >>>>>> Thanks & regards, >>>>>> -Prabath >>>>>> >>>>>> [1]: >>>>>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>>>>> >>>>>> >>>>>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>>>>> default? >>>>>>>> >>>>>>>> Prabath I remember a long discussion about certificate issuing and >>>>>>>> distribution 3-4 years ago but don't think we ended up implementing >>>>>>>> yet .. >>>>>>>> is this a lightweight solution? >>>>>>>> >>>>>>> >>>>>>> Yes.. we didn't make any progress with the CA implementation.. >>>>>>> >>>>>>> SCEP server plays the middle-man role in enrolling and getting a >>>>>>> certificate to a network device (which basically does not have any >>>>>>> account >>>>>>> with the CA). >>>>>>> >>>>>>> SCEP server will know how to talk to a CA (could be the existing >>>>>>> cooperate CA) and gets the certificate.. >>>>>>> >>>>>>> My understanding is MDM needs not to be a SCEP server (please >>>>>>> correct me if not).. It only has to know how to talk to a SCEP server.. >>>>>>> (which may be IS, EJBCA or Microsoft CA). >>>>>>> >>>>>>> Mobile devices, when getting registered with the MDM, will get a >>>>>>> profile with all the details to connect to the SCEP server... and these >>>>>>> devices will connect to the SCEP server directly and do the enrollment.. >>>>>>> The role of MDM is to embed the OTP and the server URL of the SCEP >>>>>>> server >>>>>>> in to the profile... >>>>>>> >>>>>>> Thanks & regards, >>>>>>> -Prabath >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Dilshan have u guys already implemented it? >>>>>>>> >>>>>>>> Sanjiva. >>>>>>>> >>>>>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Attached is the architecture of mobile device management. The MDM >>>>>>>>> build is compiled on top of carbon by using necessary features. Build >>>>>>>>> consist of these layers modules/components. >>>>>>>>> >>>>>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>>>>> functionality. >>>>>>>>> >>>>>>>>> 2) MDM admin console - This is for creating tenants and admins. At >>>>>>>>> present this is done via carbon admin console. >>>>>>>>> >>>>>>>>> 3) Public store - Public store Jaggery app. >>>>>>>>> >>>>>>>>> 4) Publisher - Publisher Jaggery app. >>>>>>>>> >>>>>>>>> 5) Store admin console - Admin console for store. >>>>>>>>> >>>>>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>>>>> needed for iPhone provisioning. >>>>>>>>> >>>>>>>>> 7) Android interface - GCM related functionality goes here. >>>>>>>>> >>>>>>>>> 8) User module - User authentication, register, roles etc. will be >>>>>>>>> handled here. For this we will be using WSRequest in Jaggery or >>>>>>>>> directly >>>>>>>>> calling the OSGI bundle from Jaggery. >>>>>>>>> >>>>>>>>> 9) Tenant management module - Tenants will be handled in this >>>>>>>>> module. >>>>>>>>> >>>>>>>>> 10) Configuration management module - MDM related configurations. >>>>>>>>> >>>>>>>>> 11) Security module - SAML based login etc. >>>>>>>>> >>>>>>>>> 12) Device module - Device related functions. >>>>>>>>> >>>>>>>>> 13) Policy module - XACML related functions to handle MDM policies. >>>>>>>>> >>>>>>>>> >>>>>>>>> Main MDM app will be developed as a Jaggery app and it will use an >>>>>>>>> external mysql database. Jaggery will handle all the database >>>>>>>>> functions >>>>>>>>> related to MDM. Data level isolation of the tenants will also be done >>>>>>>>> using >>>>>>>>> the Jaggery code. >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] - >>>>>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Dilshan >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sanjiva Weerawarana, Ph.D. >>>>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>>>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 >>>>>>>> 6880 | +1 650 265 8311 >>>>>>>> blog: http://sanjiva.weerawarana.org/ >>>>>>>> >>>>>>>> Lean . Enterprise . Middleware >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks & Regards, >>>>>>> Prabath >>>>>>> >>>>>>> Mobile : +94 71 809 6732 >>>>>>> >>>>>>> http://blog.facilelogin.com >>>>>>> http://RampartFAQ.com >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Prabath >>>>>> >>>>>> Mobile : +94 71 809 6732 >>>>>> >>>>>> http://blog.facilelogin.com >>>>>> http://RampartFAQ.com >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> >>> Shanmugarajah (Shan) >>> >>> Director Architecture - WSO2Mobile >>> >>> Mob: + 94 714944295 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > > Shanmugarajah (Shan) > > Director Architecture - WSO2Mobile > > Mob: + 94 714944295 > -- Shanmugarajah (Shan) Director Architecture - WSO2Mobile Mob: + 94 714944295
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
