Dilshan & Prabath, should the SCEP server code ship with IS by default?
Prabath I remember a long discussion about certificate issuing and
distribution 3-4 years ago but don't think we ended up implementing yet ..
is this a lightweight solution?
Dilshan have u guys already implemented it?
Sanjiv
Hi Sanjiva,
We have taken the apple provided source code at [1]. This comes with the
companion file. We did extend this to our need and for the moment we run
this on top of a ruby server to handle the enrolment and necessary
provisioning. The requests, responses are handled by plists where we have
On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana wrote:
> Dilshan & Prabath, should the SCEP server code ship with IS by default?
>
> Prabath I remember a long discussion about certificate issuing and
> distribution 3-4 years ago but don't think we ended up implementing yet ..
> is this a light
Just had a look at how this works with iOS [1]..
I may be totally wrong (please correct me in that case) - I just went
through the doc quickly..
In the Response from the MDM - it has the following.. Which in fact giving
details to connect to a different SCEP server.. so our MDM needs not to
work
Yes Prabath our MDM needs not to work as a SCEP server. Right now its a
separate WEBRick web server and the code is written in Ruby. SCEP server
can be any third party server like EJBCA etc. I had a offline discussion
with Azeez and came into a conclusion that the SCEP server part needs to be
separ
Hi Dilshan,
Have we considered passing the SCEP requests from the devices through the
MDM and validate those.. There is a separate mail on that..
Thanks & regards,
-Prabath
On Sun, Aug 4, 2013 at 10:11 AM, Dilshan Edirisuriya wrote:
> Yes Prabath our MDM needs not to work as a SCEP server. Righ
Hi Prabath ,
Currently SCEP server is within the MDM domain itself . Where validation
will be done based on the user challenge before it gets passed to it. The
validation part is not done.
Also there is a performance issue in the time taken enroll a device ,
Mayuran is working on that along with t
I guess user challenge it self is not enough.. We also need to validate the
SCEP request..
Thanks & regards,
-Prabath
On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah Sinnathamby wrote:
> Hi Prabath ,
>
> Currently SCEP server is within the MDM domain itself . Where validation
> will be done based
On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena wrote:
> I guess user challenge it self is not enough.. We also need to validate
> the SCEP request..
+1. Why don't we expose the SCEP component from IS so we can add IS level
security as well? Right now Mayuran has started working on the Java
Hi Prabath ,
The challenge is a random number generated and associated with a user and
device. So when the SCEP request hits in, we check the Challenge and the
associated user device and a flag is set.
Also this gives a flexibility for the user to enroll 1 or more device,
since the challenge is fo
Hi Prabath,
Hope u had a look at this
http://www.youtube.com/watch?v=SfMeKnch3YA
On Mon, Aug 5, 2013 at 1:41 PM, Shanmugarajah Sinnathamby wrote:
> Hi Prabath ,
>
> The challenge is a random number generated and associated with a user and
> device. So when the SCEP request hits in, we check t
Hi Shan,
Even here - it uses SCEP server, which is a separate entity. And this video
too explains the vulnerability of SCEP - as it is designed for closed
systems..
That is one reason we need to validate the SCEP request against the profile
we passed to the device...
It has to validate device id
Hi,
We had a discussion about this today. The final conclusion is to have a
pass through from MDM to SCEP server. Every request goes to SCEP server
needs to be go via the MDM interface. Hence it will be easy to validate the
request from MDM using a one time password.
Initially we agreed to have a
Hi Prabath,
I have few concerns on this.
Who can ask OTPs from MDM ? Exactly what MDM identifies in this step, is it
the user, device or both ?
What the OTP going to look like, I believe OTP generation should use a
crypto function based on [timestamp+deviceid+userid]. And we should have a
mean t
14 matches
Mail list logo
