PKI Blog

Security Vulnerability- The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Posted by Ted Shorter on Jun 27, 2012 11:19:38 AM

It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview on our website to provide more information.

It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.

Read More

Topics: digital certificate, consumerization of IT, IT Security, Microsoft Security Partner, Mobile Device Management, bring your own device, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, mCMS, MDM, SCEP, Certificate Reporting Tool (CRT), PKI, certification and remediation, mobile certificate, Microsoft-centric infrastructure, Blog, Simple Certificate Enrollment Protocol, CERT Coordination Center, BYOD, ActiveSync, Got PKI?

Posts by Topic

see all

Want to Learn more about CSS?