On Tue, Jan 19, 2016 at 2:32 PM, Grant <emailgr...@gmail.com> wrote:
>
> I'm sorry, I meant can I lock down access to my web stuff so that a
> particular user can only come from a particular device (or from any
> device containing a key).
>

It looks like this hasn't been widely implemented, but it looks like
they do have the ability to generate TPM-backed client certificates
which could then be used for authentication (and you can set a policy
to auto-authenticate using the certificate).  It looks like you need
to use an extension to generate the key and csr, and load the
certificate.  Google wrote an extension that does this for active
directory, but for any other certificate authority it looks like you
basically have to write your own (and probably publish it as FOSS).

So, the idea would be that you'd provision the device and then log
into it.  The device would auto-install the certificate installer and
then you'd run that extension to load a certificate and mark it for
use for all users on the device.  Then any user on that device could
authenticate using the certificate.  The key would be stored in the
TPM and would never leave the device, and wiping the device would
destroy the key.

You mentioned GPG keys, and this stuff is all RSA-backed, but SSL
client certificates don't use GPG itself.  All of this is FOSS as far
as I can tell.  All browsers can load and use client certificates, but
the advantage of a chromebook is that the key can be generated by the
TPM and never leave it.

-- 
Rich

Reply via email to