I have a use case relating to authentication and I wonder if anyone can advise me whether it can be implemented with the NSS internal PKCS#11 Module + the software security device or if it might require the coding of a new security device.
We have a number of web sites that our users need to authenticate to and they may need to access several during a single web browsing session. It may be immpossible for all the web sites to access the same LDAP directory and so X509.3 certificates seem a good way to handle authentication. However, we have a major concern;
Users are likely to want to access the services from many different PCs each of which may be used by many different users. It may therefore be necessary for user certificates to be stored on a central server and have the users collect them at the start of each session via a user name + password authentication, or to issue them with new, short lived certificates at the start of every session. We would also like to use some thin clients where the user doesn't have access rights to save preferences to file.
We're concerned that users might store their certificates and keys on the local hard disk with either no encryption or a poor choice of password and we don't want to rely on managers of local area networks to protect the files either. Use of portable devices to store keys is really not viable for us. Most of all we want to avoid having to give
users a lot of complex advice about protecting their identity.
The question is this: is it possible for the server that issues/stores user certificates to instruct the PKCS#11 Module not to store the private key (or certificate) in any kind of persistent store? There are two scenarios where we might want to apply this, 1) when the browser generates a key pair - because we may choose to issue the user with a very short lived certificate every time they log in. 2) when we deliver the private key along with the certificate - because we may choose to generate the key pair server side so we can create a long lived certificate and simply reissue it. Of course we would also like to avoid the need for a user to ever set a master password in the
browser.
I would appreciate comments on the use case and its possible implementation. I'd especially like to hear from anyone who has already implemented a solution for a similar scenario. I'm afraid the reality is that most of our users will expect to use IE to access our web sites but I suspect we'll make more progress working with Mozilla in the first instance.
Jon Maber bodington.org The University of Leeds
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
