Nils Ohlmeier wrote:
On Tuesday 11 October 2005 16:32, Klaus Darilion wrote:
Jan Janak wrote:
Client certificate ? Why ? Make sure that the client certificate is
created by a trusted CA (which is known to SER) and once a request
arrives over TLS then you know that the certificate was valid
(provided that you enable client certificate verification).
Knowing that the certificate is valid is not enough. Badguy can have a
certificate for badguy.com which is perfectly valid, but this does not
imply that I trust badguy.com. I have to compare the certificate domain
with the domains of trusted peers somehow.
Klaus, if you do not trust badguy.com although he has a valid singed
certificate from a CA which you trust, then you can throw away TLS
completely.
There is a big difference between authentication and authorization.
1. I have to authenticate the peer. Using TLS and certifiactes is fine.
2. I have to authorize the peer. Some peers will be e.g. routed
different. You would this this like:
if (message is from trusted peer) {
....
So I need to check the certificate in ser.cfg somehow, or associate the
domain in the From header with the domain in the certificate.
Or do I miss the point?
regards
klaus
The hole model only works because the trust in inherited from the CA when you
get a singed certificate.
If you do not trust any CA, except your own, then you created your own trust
database which is hard to maintain. No matter what is the base of the
trustworthyness (IP; certificate signed by you; shared secret or signed
certificate for IPSec) maintaining the trust database (or however you call
it) is a real pain, that is the reason why you should trust someone else to
do this job.
BTW why do you need/want to trust someone and others not?
You want to give privileges to the trustworthy. But what happens if they cheat
you? You should be able to track them down. And then sue them (if the laws of
both countries allows this)?
Sueing them is your only weapon in the end. If you cant sue them you are
doomed anyway no matter what is your trust base.
Enough philosophy :-)
Nils
_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users
