[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: Proposal to strengthen slapd EXTERNAL authentication
From: Howard Chu <hyc () symas ! com>
Date: 2023-06-27 21:59:43
Message-ID: 649fb296-aff4-b02b-07d9-97c307df95a0 () symas ! com
[Download RAW message or body]
Christopher Paul wrote:
> > The point of a certificate-based authentication system is not to have to
> > implement authentication rules for each and every individual user. An LDAP
> > server should only trust certificates issued by a single CA; that CA should only
> > be issuing certs to valid users. Ideally, the LDAP server should be the CA,
> > which is what slapo-autoca is designed for.
>
> Any peer in a TLS session that does validation seems to have three things to \
> validate: 1. the x.509 subject name matching the name as known or claimed by the \
> peer
The above applies to clients validating servers. TLS is client-server, not \
peer-to-peer.
Clients with certs assert their name to servers, and if the server trusts the cert \
issuer then it accepts the name that the client asserted.
> 2. the signing authority
> 3. the validity date
>
> Are we saying that the LDAP server should only care about #2?
The date is important too of course. And revocation checks too, but they aren't \
relevant to this conversation.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic