PK no I

1
PK no I

• CITI
• University of Michigan
• Ann Arbor

2
Problem Statement

• Access control web space
• Leverage infrastructure
• Kerberos, uniqname
• Directory and authorization

3
KLP Didnt Work

• Browser plug-in architecture is hostile to
  security
• Local proxy is functional but not hassle free

4
Face It!

• Web space requires PK authentication
• (None genuine without this mark)
• Enter jis, stage east

5
MIT Kerberized PGP Signer

• Nobody really used it
• Im just mentioning it for completeness

6
MIT Kerberized X.509 Factory

• Bootstrap Kerberos
• Send pass phrase over SSL (ick)
• Server authenticates
• Entreat browser to create key pair
• Server signs pubkey, hands back to browser

7
Short Lifetimes

• Avoid CRLs at all costs
• Even at the cost of long-term signatures and
  encryption
• Authentication only
• MIT allows up to a year
• Over 50,000 served! (in the first year alone)

8
Problems

• Privkey storage
• Treat as disposable ticket
• Reliance on murky browser technology
• Horrible UI
• Lifetime is still too long
• Compare to TGT

9
UMich Wrinkles

• One-day lifetime
• junk keys
• Shun the browser way
• Kerberized application does all the work
• Part of login

10
Problems

• Privkey storage
• Where does this go?
• IE CAPI
• No solution in hand for Netscape
• Unstable API
• They seem to like it that way
• PKCS11 looks viable

11
More Problems

• Login interface
• CAEN GINA
• MacOS
• No CAPI
• Netscape is just confused
• MIT issuer works

12
Whats Next

• Document
• Roll out

13
So What?

• We still dont know how to access control web
  space
• NT and Lotus/Domino use PK authentication to log
  you in
• Wrong answer
• Does anyone know how Apache does it?

14
Any questions?
http//www.citi.umich.edu/