Skip to main content
IT Unconference

Client Certs

Proposed by Michael Tran Duff

Covered: the why's and how's of certificate-based authentication.
1. How do certs work
2. Deployment schedule
3. Major components
4. User perspective
5. Integration plans: web SSO, VPN, secure wireless
Notes

About half the audience says they are familiar with the topic

 

Why:

 

Why are we doing this? What benefits do we get?

  1. User experience: no password prompts.VPN, websites, etc.
  2. Chokepoint for endpoint compliance is campus network — devices that never connect to the Stanford net are not able to be checked for minsec compliance
  3. Phishing: (#1 risk by far) Credential harvesting (type in your password into phishing site etc). Can’t phish certificate. Won’t help with other types of phishing attacks (malware installs and the like).
  4. As a way to work around services that don’t support dual auth (e.g. active sync) 

How:

  1. How do certs work
  2. Deployment schedule
  3. Major components
  4. User perspective
  5. Integration plans: web SSO, VPN, secure wireless

 

How do certificates work: Math! (explanation of public key authentication)

 

Authentication, non-repeatability.

 

How do you know you are using the right public key? (CA) Certificate: Name/ID -> public key

 

Discussion of certificate parts (DN, CN, etc). x.500. Role of CA as a trusted mapping for entities to certificates. Bad things happen when a root certificate is compromised (allows attacker to issue their own certs to impersonate entity).

 

Root -> intermediate -> entity certs (users)

 

Stanford running it’s own root CA for this. Will issue certs valid for 5 years (rough lifetime of an endpoint device).

 

[overview of revocation process, either CRL or OCSP. Revocation list must keep old certs up to their lifetime]

 

User perspective: Visit getcert login (new web login), two factor required to get a cert. Generates and installs cert (per-device at least, per-browser sometimes (Firefox is weird and NOT supported initially). Audience notes that some Oracle users need to use Firefox.

Does not replace two-factor, still need that periodically in case of the scenario that a private key leaks.

You can get a cert for any device, BUT that device must be in mydevices within a week. (CloudPath is intermediate CA)

 

Deployment: not advertised, soft rollout, limited number of allowed participants at the end of Feb, extending access. More things will require two step for security reasons (again, if certs get out).