Hi Shan, Even here - it uses SCEP server, which is a separate entity. And this video too explains the vulnerability of SCEP - as it is designed for closed systems..
That is one reason we need to validate the SCEP request against the profile we passed to the device... It has to validate device identity as well as - the certificate CN and the rest.. Thanks & regards, -Prabath On Mon, Aug 5, 2013 at 2:46 PM, Shanmugarajah Sinnathamby <[email protected]>wrote: > Hi Prabath, > > Hope u had a look at this > > http://www.youtube.com/watch?v=SfMeKnch3YA > > > > On Mon, Aug 5, 2013 at 1:41 PM, Shanmugarajah Sinnathamby > <[email protected]>wrote: > >> Hi Prabath , >> >> The challenge is a random number generated and associated with a user and >> device. So when the SCEP request hits in, we check the Challenge and the >> associated user device and a flag is set. >> Also this gives a flexibility for the user to enroll 1 or more device, >> since the challenge is for the device. >> >> Lets say the challenge is stolen by another user or same user, if he >> tries to get the certificate using the same challenge, there is a >> validation against the user and device. Do you think this can help us to >> secure ? . >> If not what is the best method to overcome the SCEP vulnerability. >> >> >> >> >> >> On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena <[email protected]>wrote: >> >>> I guess user challenge it self is not enough.. We also need to validate >>> the SCEP request.. >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby < >>> [email protected]> wrote: >>> >>>> Hi Prabath , >>>> >>>> Currently SCEP server is within the MDM domain itself . Where >>>> validation will be done based on the user challenge before it gets passed >>>> to it. The validation part is not done. >>>> Also there is a performance issue in the time taken enroll a device , >>>> Mayuran is working on that along with the validation. >>>> >>>> >>>> >>>> Thanks, >>>> -Shan >>>> >>>> On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena >>>> <[email protected]>wrote: >>>> >>>>> Hi Dilshan, >>>>> >>>>> Have we considered passing the SCEP requests from the devices through >>>>> the MDM and validate those.. There is a separate mail on that.. >>>>> >>>>> Thanks & regards, >>>>> -Prabath >>>>> >>>>> >>>>> On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya <[email protected] >>>>> > wrote: >>>>> >>>>>> Yes Prabath our MDM needs not to work as a SCEP server. Right now its >>>>>> a separate WEBRick web server and the code is written in Ruby. SCEP >>>>>> server >>>>>> can be any third party server like EJBCA etc. I had a offline discussion >>>>>> with Azeez and came into a conclusion that the SCEP server part needs to >>>>>> be >>>>>> separated out to a web app written in Java. So any time it can be >>>>>> replaced >>>>>> with anything. Ideally which I believe this part needs to be handle by IS >>>>>> and MDM only communicate with it through the information provided at the >>>>>> deployment time. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Dilshan >>>>>> >>>>>> >>>>>> On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Just had a look at how this works with iOS [1].. >>>>>>> >>>>>>> I may be totally wrong (please correct me in that case) - I just >>>>>>> went through the doc quickly.. >>>>>>> >>>>>>> In the Response from the MDM - it has the following.. Which in fact >>>>>>> giving details to connect to a different SCEP server.. so our MDM needs >>>>>>> not >>>>>>> to work as a SCEP server.. >>>>>>> >>>>>>> <array> >>>>>>> <dict> >>>>>>> <key>PayloadContent</key> >>>>>>> <dict> >>>>>>> <key>URL</key> >>>>>>> <string>https://scep.example.com/scep</string> >>>>>>> <key>Name</key> >>>>>>> <string>EnrollmentCAInstance</string> >>>>>>> <key>Subject</key> >>>>>>> <array> >>>>>>> <array> >>>>>>> <array> >>>>>>> <string>O</string> >>>>>>> <string>Example, Inc.</string> >>>>>>> </array> >>>>>>> </array> >>>>>>> <array> >>>>>>> <array> >>>>>>> <string>CN</string> >>>>>>> <string>User Device Cert</string> >>>>>>> </array> >>>>>>> </array> >>>>>>> </array> >>>>>>> <key>Challenge</key> >>>>>>> <string>...</string> >>>>>>> <key>Keysize</key> >>>>>>> <integer>1024</integer> >>>>>>> <key>Key Type</key> >>>>>>> <string>RSA</string> >>>>>>> <key>Key Usage</key> >>>>>>> <integer>5</integer> >>>>>>> </dict> >>>>>>> >>>>>>> Thanks & regards, >>>>>>> -Prabath >>>>>>> >>>>>>> [1]: >>>>>>> http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf >>>>>>> >>>>>>> >>>>>>> On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Dilshan & Prabath, should the SCEP server code ship with IS by >>>>>>>>> default? >>>>>>>>> >>>>>>>>> Prabath I remember a long discussion about certificate issuing and >>>>>>>>> distribution 3-4 years ago but don't think we ended up implementing >>>>>>>>> yet .. >>>>>>>>> is this a lightweight solution? >>>>>>>>> >>>>>>>> >>>>>>>> Yes.. we didn't make any progress with the CA implementation.. >>>>>>>> >>>>>>>> SCEP server plays the middle-man role in enrolling and getting a >>>>>>>> certificate to a network device (which basically does not have any >>>>>>>> account >>>>>>>> with the CA). >>>>>>>> >>>>>>>> SCEP server will know how to talk to a CA (could be the existing >>>>>>>> cooperate CA) and gets the certificate.. >>>>>>>> >>>>>>>> My understanding is MDM needs not to be a SCEP server (please >>>>>>>> correct me if not).. It only has to know how to talk to a SCEP server.. >>>>>>>> (which may be IS, EJBCA or Microsoft CA). >>>>>>>> >>>>>>>> Mobile devices, when getting registered with the MDM, will get a >>>>>>>> profile with all the details to connect to the SCEP server... and these >>>>>>>> devices will connect to the SCEP server directly and do the >>>>>>>> enrollment.. >>>>>>>> The role of MDM is to embed the OTP and the server URL of the SCEP >>>>>>>> server >>>>>>>> in to the profile... >>>>>>>> >>>>>>>> Thanks & regards, >>>>>>>> -Prabath >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Dilshan have u guys already implemented it? >>>>>>>>> >>>>>>>>> Sanjiva. >>>>>>>>> >>>>>>>>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Attached is the architecture of mobile device management. The MDM >>>>>>>>>> build is compiled on top of carbon by using necessary features. Build >>>>>>>>>> consist of these layers modules/components. >>>>>>>>>> >>>>>>>>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>>>>>>>> functionality. >>>>>>>>>> >>>>>>>>>> 2) MDM admin console - This is for creating tenants and admins. >>>>>>>>>> At present this is done via carbon admin console. >>>>>>>>>> >>>>>>>>>> 3) Public store - Public store Jaggery app. >>>>>>>>>> >>>>>>>>>> 4) Publisher - Publisher Jaggery app. >>>>>>>>>> >>>>>>>>>> 5) Store admin console - Admin console for store. >>>>>>>>>> >>>>>>>>>> 6) iPhone interface - This will run the SCEP server[1] which is >>>>>>>>>> needed for iPhone provisioning. >>>>>>>>>> >>>>>>>>>> 7) Android interface - GCM related functionality goes here. >>>>>>>>>> >>>>>>>>>> 8) User module - User authentication, register, roles etc. will >>>>>>>>>> be handled here. For this we will be using WSRequest in Jaggery or >>>>>>>>>> directly >>>>>>>>>> calling the OSGI bundle from Jaggery. >>>>>>>>>> >>>>>>>>>> 9) Tenant management module - Tenants will be handled in this >>>>>>>>>> module. >>>>>>>>>> >>>>>>>>>> 10) Configuration management module - MDM related configurations. >>>>>>>>>> >>>>>>>>>> 11) Security module - SAML based login etc. >>>>>>>>>> >>>>>>>>>> 12) Device module - Device related functions. >>>>>>>>>> >>>>>>>>>> 13) Policy module - XACML related functions to handle MDM >>>>>>>>>> policies. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Main MDM app will be developed as a Jaggery app and it will use >>>>>>>>>> an external mysql database. Jaggery will handle all the database >>>>>>>>>> functions >>>>>>>>>> related to MDM. Data level isolation of the tenants will also be >>>>>>>>>> done using >>>>>>>>>> the Jaggery code. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1] - >>>>>>>>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> Dilshan >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sanjiva Weerawarana, Ph.D. >>>>>>>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>>>>>>>> email: [email protected]; phone: +94 11 763 9614; cell: +94 77 787 >>>>>>>>> 6880 | +1 650 265 8311 >>>>>>>>> blog: http://sanjiva.weerawarana.org/ >>>>>>>>> >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks & Regards, >>>>>>>> Prabath >>>>>>>> >>>>>>>> Mobile : +94 71 809 6732 >>>>>>>> >>>>>>>> http://blog.facilelogin.com >>>>>>>> http://RampartFAQ.com >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks & Regards, >>>>>>> Prabath >>>>>>> >>>>>>> Mobile : +94 71 809 6732 >>>>>>> >>>>>>> http://blog.facilelogin.com >>>>>>> http://RampartFAQ.com >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Prabath >>>>> >>>>> Mobile : +94 71 809 6732 >>>>> >>>>> http://blog.facilelogin.com >>>>> http://RampartFAQ.com >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Shanmugarajah (Shan) >>>> >>>> Director Architecture - WSO2Mobile >>>> >>>> Mob: + 94 714944295 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> >> Shanmugarajah (Shan) >> >> Director Architecture - WSO2Mobile >> >> Mob: + 94 714944295 >> > > > > -- > > Shanmugarajah (Shan) > > Director Architecture - WSO2Mobile > > Mob: + 94 714944295 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
