Hi, On Wed, Jan 03, 2024 at 10:45:50PM +0100, Antonio Quartulli wrote: > On 03/01/2024 20:03, Gert Doering wrote: > > Not sure I can come up with a good attack scenario > > in an OpenVPN PKI scenario where the CA would be stopped from doing > > something nasty by doing the full .csr dance (because it could still just > > create arbitrary .key/.crt on its own, thus getting access to the VPN > > server). > > I think the .csr dance would prevent the CA from impersonating well known > users with a well known certificate.
Only if you verify that "well known certifificate" with something like
peer-fingerprint - taking into account bits of the pubkey/privkey that
are not part of the actual "CA signing" thing (because everything else,
like "CN=important user", the CA can sign as it wants...)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
