Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI Paper 11 - S.E.E. Key enabling a web based application » 10 User management in the absence of a S.E.E.

10 User management in the absence of a S.E.E.

10.1.1 While there is no centralised directory that applications can use to present user lists to those who grant users access, applications need to either search all directories of all potential CAs, or require the administrator to determine the DN of the certificate and enter it manually.

10.1.2 Unfortunately not everyone with a certificate will be listed in a CA directory - some users or organisations will ask not to be included in a CA's directory, and some CAs may not run a directory.

10.1.3 In some cases the certificate could be emailed to the administrator by sending a signed message, however this should not be relied upon as:

  • not all certificates will be flagged to work with secure email,

  • some certificates will be marked for authentication only (which some email clients won't permit for signing),

  • some email clients don't support S/MIME,

  • some organisations don't permit signed messages through their content filters, and

  • some content filters and email servers strip digital signatures from messages by default

10.1.4 Often the DN of the certificate will be known based on known user information - their name and organisation, however name forms are often difficult, e.g. Lesley rather than Les, and Department of the Prime Minister and Cabinet is often misspelled without the 'the'.

10.1.5 Manual entry of DNs is prone to error when even spaces or commas may be important depending on the application.

10.1.6 Solid documented procedures will be required around user creation to minimise errors, as errors will lead to user frustration, and security risks.

10.1.7 Audit logs should illustrate user setup errors and these logs should be readily accessible to those performing user management tasks.

10.2 PKI enabling legacy non-web based applications

10.2.1 To PKI enable non-web based applications, user authentication and data encryption can be performed at lower network layers, for example by tunnelling through SSL/TLS.

10.2.2 However such authentication is unlikely to flow through to the application without specific "authentication proxy" services, and such systems would typically require additional client software.


[ Previous | Next ]