On Tuesday 19 Jan 2016 17:46:27 Rich Freeman wrote: > On Tue, Jan 19, 2016 at 2:32 PM, Grant <emailgr...@gmail.com> wrote: > > I'm sorry, I meant can I lock down access to my web stuff so that a > > particular user can only come from a particular device (or from any > > device containing a key). > > It looks like this hasn't been widely implemented, but it looks like > they do have the ability to generate TPM-backed client certificates > which could then be used for authentication (and you can set a policy > to auto-authenticate using the certificate). It looks like you need > to use an extension to generate the key and csr, and load the > certificate. Google wrote an extension that does this for active > directory, but for any other certificate authority it looks like you > basically have to write your own (and probably publish it as FOSS). > > So, the idea would be that you'd provision the device and then log > into it. The device would auto-install the certificate installer and > then you'd run that extension to load a certificate and mark it for > use for all users on the device. Then any user on that device could > authenticate using the certificate. The key would be stored in the > TPM and would never leave the device, and wiping the device would > destroy the key. > > You mentioned GPG keys, and this stuff is all RSA-backed, but SSL > client certificates don't use GPG itself. All of this is FOSS as far > as I can tell. All browsers can load and use client certificates, but > the advantage of a chromebook is that the key can be generated by the > TPM and never leave it.
You can use apache client authentication with SSL certificates only. Of course you will need to create a self-signed CA, which you will use to create the web server public/private key pair and also sign each client's certificate and upload it along with your CA certificate to the user's browser. This explains the principle: http://wiki.cacert.org/HELP/9 Ditto with the VPN connection - should you still want to use VPN. If a user certificate is lost of feared compromised, you revoke it with your CA and upload the CRL to the server. However, this won't do away with XSS, or other similar attack vectors if the users are not careful with their browsing habits. This won't resolve problems with lost laptops and the like either, so previous suggestions for disk encryption, or chromebooks apply, if this is a considerable risk with your users. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
