Hi Paul, Thanks.
On Thu, May 23, 2013 at 2:25 AM, Paul Foxworthy <[email protected]> wrote: > Hi Ted, > > You could use standard SSL support for client certificate authentication. > You can configure the web server to require a client certificate. Here's how > to to it in Apache: > http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients > Yes, I am aware of this, as well as how to do it using Apache's httpd server. But I was under the impression that OFBiz used a customized version of Apache Tomcat, and I do not know how to handle SSL in Tomcat in general nor how to configure it to use or better require use of client side certificates. I do not even know where OFBiz puts its container when it is installed (in my case on Suse Linux). > You need to find a secure way to send a client certificate to your users, > and they need to import the client certificate into the browser. This would > be external to OFBiz. The entire web application, not just form submission, > would be encrypted, tamper-proof and authenticated, and that would be > transparent to the OFBiz application. > I am aware of this too. I have a handle on that, involving contact between a registration authority and the users, and issuance of single use credentials to the users, for access (over HTTPS) to a specific website (written in Perl), The RA would establish, also, a set of challenge and response questions and answers with the users, so that the identity of the user can be verified by the combinatin of single use credentials and challenege/response questions. This part of the process, along with documentation the shows the RA's processes indeed verify the users' identities, is entirely external to OFBiz, which is why I didn't mention it before in this context. > Web browsers and operating systems already have certificate stores, and you > could just use them without needing to do anything special. Certificate > deployment would be an annoyance, but a one-off annoyance. > Yes, I was planning on using this. > If you want to do it internal to the application with Javascript, you are in > effect rewriting the SSL infrastructure in your own Javascript code. Your > code doesn't have a secure key store and is subject to risks of code > injection and so on. See the rant on this subject at > > http://www.matasano.com/articles/javascript-cryptography/ > OOPS, we have a misunderstanding here. The objective is NOT to rewrite the SSL infrastructure, although it will be used extensively. Rather, the objective is to provide support for non-repudiation, hence relating the client side certificate provided by the client machine to the identity of the user. Further, as an example, consider the nature of ecommerce: this is essentially a sales contract, and while one dimension of the security need for the integrity of such a contract involves assuring the identities of the parties to the contract, the contract itself needs to be handled in a way in which the details of it can readily be verified and assured against subsequent modification without the express consent of both parties. Thus, in ecommerce, at the checkout page, we need all the data in the shopping cart to be included on the checkout page, and we want that, along with the amount of the transaction, timestamp, &c., to be put into a single document and signed and encrypted. The resulting binary data would be stored with the transaction data, and made easily retrievable/viewable by both both parties to the sales contract and the banks used by the merchant and customer (in case the custmer takes a dispute to the issuing bank and demands a chargeback - such a document would be priceless for the bans to determine whether or not there was a valid sales contract between a merchant and client and is presently generally unavailable in card not present transactions). While ecommerce is an obvious application for what I have in mind, I can see other parts of OFBiz which may involve some sort of contract between parties and which may benefit from having this sort of capability (relations between different departments within a company? accountability of staff to their supervisor? others, to be requested by parties using ofbiz?). The thing is that if the application server asks for a client side certificate, the client's browser will offer one from the browser's or OS' store (I am not sure if, when the store contains more than one client side certificate if the browser asks the user which one to send, but I'll examine this complication in due course). But then, I would expect that one can get at the client's ID from that certificate using code written in Java just as one can using Perl (I dont recall the details, or whether I'd need to use openssl installed on the server and invoked from Perl, but I recall seeing it can be done without too too much pain), so that what the certificate says about the client's identity can be stored with the signed and encrypted document (which, of course, the client's public key can be used to decrypt the document and verify the signature). At this stage, I am not entirely certain whether or not this document really needs to be encrypted or if it can simply be signed (what is critical is that any alteration of the document be readily detected, that the signature reliably identifies the client, and that both parties have a copy). These are considerations that use of SSL or TLS do not address (as far as I can tell, anyway). > If you must build something like this in Javascript, these are some > libraries that might help: > > http://ats.oka.nu/titaniumcore/js/crypto/readme.txt > http://crypto.stanford.edu/sjcl/ (symmetric AES only) > http://www-cs-students.stanford.edu/~tjw/jsbn/ > > Hope that helps. > Thanks, I will take a look at these resources. > Cheers > > Paul Foxworthy > Cheers Ted > > Ted Byers wrote >> I need to add use of PKI, with document signing, to OFBiz >> >> What would I need to do to configure OFBiz to require client side >> certificates, and where would I modify the forms sent to the client's >> browser so that it includes a JavaScript file that will support use of >> the client's private key to sign and encrypt the document/data >> submitted when the form's submit button is clicked? I guess this is >> two questions, the first being use/requirement for the client to >> supply a client side certificate, and the second involves modification >> of the interface so that data can be encrypted and signed. >> >> In due course, I may even need to alter the content displayed to the >> client depending on whether or not there is a client side certificate. >> >> Thanks >> >> Ted > > > > > > ----- > -- > Coherent Software Australia Pty Ltd > http://www.coherentsoftware.com.au/ > > Bonsai ERP, the all-inclusive ERP system > http://www.bonsaierp.com.au/ > > -- > View this message in context: > http://ofbiz.135035.n4.nabble.com/Improving-OFBiz-security-tp4641462p4641485.html > Sent from the OFBiz - User mailing list archive at Nabble.com.
