...
All certificate-based applications depend on the user's certificates and their associated private keys being pre-installed in appropriate location(s) such that they are accessible to applications as needed but still under the control of the user. Some PKI-enabled applications require further setup on the user's device and others, such as VPN clients, often require workstation firewall tuning for successful operation. The level of user acceptance, and thus the success of the overall project, often depends on how easy it is for users to have their certificates installed in all of the needed locations on their workstations and mobile devices, have their applications preconfigured for certificate use, and how well users are warned when expiring certificates need to be replaced.
The Simple Certificate Enrollment Protocol (SCEP) is an X.509 certificate enrollment protocol that simplifies the distribution of certificates. Some VPN servers (Cisco, Juniper, etc.) support SCEP natively.
Service Considerations
The first consideration for making certificate-enabled services function transparently for users is a friendly mechanism to have their certificate and private key installed in all of the needed location(s) on their workstations and mobile devices. This mechanism would typically be done with the certificates installed in a non-exportable way. Basic workstation security settings such as a password protected screen savers can also be verified as part of the installation process. Certificate store requirements for the common applications listed above are summarized in the table below:
...
- Certificate Availibility
Work within InCommon and with Comodo to make certificates available. This process involves (a) depeloping the appropriate CPS and having it approved by InCommon and Comodo, (b) creating a certificate profile that works well with known campus PKI-enabled applications, and (c) working with Comodo to make these certificates available via their web site. - Certificate Enabled Applications
Document typical campus PKI-enabled applications and services including information on how these applications are typically enabled, configurations, and a summary of items to consider before deploying the application. This work will also highlight the issues associated with encryption and especially encrypted email. - Mobile Devices (e.g., iPhone and Android)
Provide information and guidance on the use of certificates on mobile devices such as iPhones and Android devices. This includes advice on how to enable security profiles that enforce device PINs to protect the certificate and its use. Mobile devices are lost more frequently than workstations and laptops. - Comodo Client Certificates API
Evaluate the suitability of the Comodo API (as opposed to web interface) for the rapid issuance of certificates to large numbers of users. Recommend changes if/as needed. - Certificate Installation Automation
Evaluate tools that automate the installation of certificates on user on user workstations and manage the setup of certificate enabled applications (e.g., wireless profiles, firewall for VPN, etc). These tools should also facilitate certificate management and renewal. One such tool might be the Simple Certificate Enrollment Protocol (SCEP), an X.509 certificate enrollment protocol that simplifies the distribution of certificates. The iPhone and some VPN servers (Cisco, Juniper, etc.) natively support SCEP. - Shibboleth-enabled Access
Work with Comodo to facilitate the creation of a Shibboleth-based interface for the issuance of end user certificates.