'RE: IIS 5 and client certificates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: IIS 5 and client certificates
From:       "Walter Williams" <wbjw () attbi ! com>
Date:       2002-11-08 12:00:55
[Download RAW message or body]

And unless the app/data is not very important, don't consider this
sufficient.  All you are testing for here is was a certificate issued.  You
are not testing for validity of the certificate vs a certificate trust list,
nor if the certificate is expired.

> -----Original Message-----
> From: Frank Knobbe [mailto:fknobbe@knobbeits.com]
> Sent: Tuesday, November 05, 2002 1:22 AM
> To: Chris Eidem
> Cc: focus-ms@securityfocus.com; security-basics@securityfocus.com;
> ceidem@jafonet.com
> Subject: Re: IIS 5 and client certificates
>
>
> On Fri, 2002-11-01 at 16:29, Chris Eidem wrote:
> > [...]
> > What I've tested:
> >
> > - Anyone with our cert can reach the site with certs ignored or
> > accepted, no surprise.
> >
> > - Anyone with our cert can reach the site with client cert mapping not
> > enabled.  Slightly surprising, as I would think that it would default to
> > no one being allowed access.
> >
> > - Anyone with our cert can reach the site with client cert mapping
> > enabled and no 1-to-1 rules.  Again surprising.
> >
> > - I added a second cert, and mapped it to a user that was not allowed
> > access to the default.html page.  That user was not allowed access, but
> > all other cert holders were allowed access.
> >
> > - I added a Many-to-1 rule denying access to anyone with the following
> > certificate criterium:
> >
> >      Issuer CN matches '<root CA text here>'
> >
> > With this enabled, and the local Root CA installed, it matches what I
> > thought that it would do with just the client cert installed.
> >
> >
> >
> > Since all the major CAs have their certificates installed into Windows
> > 2000, IIS recognizes them and I fear that anyone with a valid cert may
> > be able to access a site. [...]
>
>
> Chris,
>
> have you tried *removing* all other root certs from the root CA store of
> the web server, leaving only your own root CA cert in the certificate
> store?
>
> From what I understand, any certificate signed by a trusted root CA (so
> by default, Verisign etc) are accepted, and the CN name used as a
> username for authentication (or via the mapping, remapped to a different
> ID). It seems to me that if you trust only your certificate, you would
> need to to reduce the trust in the root CA store to just your root cert.
>
> Regards,
> Frank
>
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic