SCPE has a known vulnerability - where end devices can fool the system to get certificates of what their desire..
More details at [1]. One way we could overcome this is - we do not expose SCEP server to the devices - but rather all the SCEP requests from devices to the SCEP server through a MDM. And.. at the MDM we validate the SCEP request against the OTP we issued.. only if legitimate MDM will route the request to the SCEP server.. [1]: http://www.kb.cert.org/vuls/id/971035 On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena <prab...@wso2.com>wrote: > Just had a look at how this works with iOS [1].. > > I may be totally wrong (please correct me in that case) - I just went > through the doc quickly.. > > In the Response from the MDM - it has the following.. Which in fact giving > details to connect to a different SCEP server.. so our MDM needs not to > work as a SCEP server.. > > <array> > <dict> > <key>PayloadContent</key> > <dict> > <key>URL</key> > <string>https://scep.example.com/scep</string> > <key>Name</key> > <string>EnrollmentCAInstance</string> > <key>Subject</key> > <array> > <array> > <array> > <string>O</string> > <string>Example, Inc.</string> > </array> > </array> > <array> > <array> > <string>CN</string> > <string>User Device Cert</string> > </array> > </array> > </array> > <key>Challenge</key> > <string>...</string> > <key>Keysize</key> > <integer>1024</integer> > <key>Key Type</key> > <string>RSA</string> > <key>Key Usage</key> > <integer>5</integer> > </dict> > > Thanks & regards, > -Prabath > > [1]: > http://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf > > > On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena <prab...@wso2.com>wrote: > >> >> >> On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana <sanj...@wso2.com>wrote: >> >>> Dilshan & Prabath, should the SCEP server code ship with IS by default? >>> >>> Prabath I remember a long discussion about certificate issuing and >>> distribution 3-4 years ago but don't think we ended up implementing yet .. >>> is this a lightweight solution? >>> >> >> Yes.. we didn't make any progress with the CA implementation.. >> >> SCEP server plays the middle-man role in enrolling and getting a >> certificate to a network device (which basically does not have any account >> with the CA). >> >> SCEP server will know how to talk to a CA (could be the existing >> cooperate CA) and gets the certificate.. >> >> My understanding is MDM needs not to be a SCEP server (please correct me >> if not).. It only has to know how to talk to a SCEP server.. (which may be >> IS, EJBCA or Microsoft CA). >> >> Mobile devices, when getting registered with the MDM, will get a profile >> with all the details to connect to the SCEP server... and these devices >> will connect to the SCEP server directly and do the enrollment.. The role >> of MDM is to embed the OTP and the server URL of the SCEP server in to the >> profile... >> >> Thanks & regards, >> -Prabath >> >> >>> >>> Dilshan have u guys already implemented it? >>> >>> Sanjiva. >>> >>> On Wed, Jul 31, 2013 at 9:01 PM, Dilshan Edirisuriya >>> <dils...@wso2.com>wrote: >>> >>>> Hi, >>>> >>>> Attached is the architecture of mobile device management. The MDM build >>>> is compiled on top of carbon by using necessary features. Build consist of >>>> these layers modules/components. >>>> >>>> 1) MDM web console - MDM Jaggery app where you have the MDM core >>>> functionality. >>>> >>>> 2) MDM admin console - This is for creating tenants and admins. At >>>> present this is done via carbon admin console. >>>> >>>> 3) Public store - Public store Jaggery app. >>>> >>>> 4) Publisher - Publisher Jaggery app. >>>> >>>> 5) Store admin console - Admin console for store. >>>> >>>> 6) iPhone interface - This will run the SCEP server[1] which is needed >>>> for iPhone provisioning. >>>> >>>> 7) Android interface - GCM related functionality goes here. >>>> >>>> 8) User module - User authentication, register, roles etc. will be >>>> handled here. For this we will be using WSRequest in Jaggery or directly >>>> calling the OSGI bundle from Jaggery. >>>> >>>> 9) Tenant management module - Tenants will be handled in this module. >>>> >>>> 10) Configuration management module - MDM related configurations. >>>> >>>> 11) Security module - SAML based login etc. >>>> >>>> 12) Device module - Device related functions. >>>> >>>> 13) Policy module - XACML related functions to handle MDM policies. >>>> >>>> >>>> Main MDM app will be developed as a Jaggery app and it will use an >>>> external mysql database. Jaggery will handle all the database functions >>>> related to MDM. Data level isolation of the tenants will also be done using >>>> the Jaggery code. >>>> >>>> >>>> [1] - >>>> http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol >>>> >>>> >>>> Regards, >>>> >>>> Dilshan >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Sanjiva Weerawarana, Ph.D. >>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ >>> email: sanj...@wso2.com; phone: +94 11 763 9614; cell: +94 77 787 6880 >>> | +1 650 265 8311 >>> blog: http://sanjiva.weerawarana.org/ >>> >>> Lean . Enterprise . Middleware >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> > > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture