On Tue, Jan 19, 2016 at 2:32 PM, Grant <emailgr...@gmail.com> wrote: > > I'm sorry, I meant can I lock down access to my web stuff so that a > particular user can only come from a particular device (or from any > device containing a key). >
It looks like this hasn't been widely implemented, but it looks like they do have the ability to generate TPM-backed client certificates which could then be used for authentication (and you can set a policy to auto-authenticate using the certificate). It looks like you need to use an extension to generate the key and csr, and load the certificate. Google wrote an extension that does this for active directory, but for any other certificate authority it looks like you basically have to write your own (and probably publish it as FOSS). So, the idea would be that you'd provision the device and then log into it. The device would auto-install the certificate installer and then you'd run that extension to load a certificate and mark it for use for all users on the device. Then any user on that device could authenticate using the certificate. The key would be stored in the TPM and would never leave the device, and wiping the device would destroy the key. You mentioned GPG keys, and this stuff is all RSA-backed, but SSL client certificates don't use GPG itself. All of this is FOSS as far as I can tell. All browsers can load and use client certificates, but the advantage of a chromebook is that the key can be generated by the TPM and never leave it. -- Rich