Hi All
Recently we built a Linux based system setup which is heavily relying on
X.509 certificates. On this occasion we had to realize that there is no
such thing as a client CSP available on Linux or UNIX (neither free nor
comercial; At least nothing which might be well supported by apps; If I
have overlooked something let me know). This ends in the paradox situation
that unless stored in a physical secured store (smartcard) a certificate
identity may only be used by exposing the certificate file directly to the
user using it (which makes it "transportable"; I am well aware that a root
user may always transport a certificate unless stored in an apropriate HW
store).
All the following text is just a couple of thrown thoughts. Feel free to
comment and/or criticize it.
It usually would make no sense to implement a CSP as it would require that
we would have to implement the support for the respective CSP into each
and every application. There is however a solution which might work. As
OpenSSL is widely used in lots of applications it would be a thing to
consider the following:
OpenSSL would have to be modified as follows:
- Implement a "dual use" for certificates which allows to
- Either use an "ordinary" certificate (to be used as of now)
- or a CSP configuration which contains the configuration where and
how to get the certificate services
- Implement a certificate service provider daemon in OpenSSL which offers
access thru named sockets or network sockets
- Implement a CSP configuration generator in OpenSSL which creates CSP
configuration files which can be distinguished from a certificate at any
time.
This modification of the OpenSSL library would allow to make the
certificates more secure and allow applications without (!) any code
modification (just by linking against the CSP capable OpenSSL library) to
support the CSP.
I am well aware of the magnitude of the proposed change. I futhermore
intentionally left out a couple of important details (such as how would
the client authenticate against the CSP server or how is the CSP daemon
configured). I am furthermore aware that introducing such a client/server
design would introduce a new SPOF and a couple thoughts should be wasted
towards that direction as well.
I have not seen any features covering the purpopse of the above mentioned
changes. I would be however more than happy to hear that all of it
allready exists.
I would be very glad if someone would raise either a cople of concerns or
shout for its implementation (or both).
Regards
Martin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
