[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: Proposal to strengthen slapd EXTERNAL authentication
From:       Howard Chu <hyc () symas ! com>
Date:       2023-06-27 21:59:43
Message-ID: 649fb296-aff4-b02b-07d9-97c307df95a0 () symas ! com
[Download RAW message or body]

Christopher Paul wrote:
> > The point of a certificate-based authentication system is not to have to
> > implement authentication rules for each and every individual user. An LDAP
> > server should only trust certificates issued by a single CA; that CA should only
> > be issuing certs to valid users. Ideally, the LDAP server should be the CA,
> > which is what slapo-autoca is designed for.
> 
> Any peer in a TLS session that does validation seems to have three things to \
> validate: 1. the x.509 subject name matching the name as known or claimed by the \
> peer

The above applies to clients validating servers. TLS is client-server, not \
peer-to-peer.

Clients with certs assert their name to servers, and if the server trusts the cert \
issuer then it accepts the name that the client asserted.

> 2. the signing authority
> 3. the validity date
> 
> Are we saying that the LDAP server should only care about #2?

The date is important too of course. And revocation checks too, but they aren't \
relevant to this conversation.


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]