> While this would technically work, it would be really bad news. This would allow anyone with any user cert issued by a CA in the system wide cert store (by any CA in the world) to be trusted and pass authorization checks by p11_child. (Albeit, some directory attributes would have to line up, depending on your match rules)
Well, that's just partially true since as you said: - Without a match rule (that has to be configured) there's no access anyways However as I was saying, maybe the other way around can be safer? I mean, SSSD will still use /etc/sssd/pki/sssd_auth_ca_db.pem for the trusted certs, but we will populate it adding also the ones trusted by the system. Maybe providing a way to filter them out. I'm talking only of upgrades from NSS installs though, for new installations people will have to manually add their trusted CAs to /etc/sssd/pki/sssd_auth_ca_db.pem. The point here is, I suppose, that if the system trusts a CA, then we can't just not trust it for some specific operation, this can be still filtered out (if needed) by using proper sssd config parameters. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919563 Title: updated sssd with smart cards now brick systems without full cert chain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
