Re: LDAP instead of /etc/ssl/certs ?

Sat, 21 Jul 2007 00:29:50 -0700 

Mark H. Wood schrieb:

[...]
(think what would happen if you were to look up these certificates somewhere other than locally, and someone were to spoof the DNS entry... since you are looking up these certificates to make a trust decision, it would be possible for an attacker to spoof both the CA and the end entity certificates, and that would be a VERY BAD THING :) 

Well, that's what DNSSEC is for.  Not to mention mutual authentication
between the directory and client.

I don't see why this CANNOT be secured.  I agree that it takes careful
attention to detail if it is to be secured.

  

I'm quite sure it is not a "CANNOT", but more a "It's not really our 
business". OpenSSL seems to concentrate on the communication part, the 
certificate storage part is (IMHO) just the minimum thing possible. But 
a thing that worked well enough for quite some time.
I agree it would be a cool extension to OpenSSL to fetch certificates 
from an LDAP server, but I would like to be able to use OpenSSL with 
only that simple file storage also!


Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to