Susan wrote:
Indeed it is, if you have to update thousands of clients with the CA cert. But then, if you have such a large deployment, you will probably find it beneficial to apply for a real CA cert from Verisign or some such, and use a real CA.--- Howard Chu <hyc@xxxxxxxxx> wrote:Stop for a moment and think that through. If you don't configure the client with a set of CAs to trust, then the only way to make the TLS handshake work is to tell the client not to attempt to verify the server's cert at all. That means any server can present any ol' made up certificate, claiming to be any entity, and the client will just blindly trust it.oops, you're right, I didn't think that through. Of course. it just seems that managing CA certs on the clients would be a real pain.
<shameless_plug_for_RHCS>Red Hat Certificate System has support for web based cert issuance. It supports CRL generation and has an OCSP responder. It can generate certs and automatically publish them to an LDAP server (e.g. to generate the userCertificate attribute for users).
</shameless_plug_for_RHCS>
This issue is outside of Fedora DS. It's more of an issue with your PK infrastructure and your CA.Besides, is there any way within this whole FDS framework to revoke Certs?
Revoke the cert on the CA, and have the CA generate a CRL. Then, push out this CRL to all of your clients. I'm not sure how to do this with openssl, but NSS provides a command line tool called crlutil that can be used to install a CRL into your cert database. Mozilla/Firefox/Thunderbird can do this automatically.If the ldap server is compromised, how do I tell the clients not to trust it (or the CA or both) anymore???
For client programs such as email clients and web browsers, who just want to check the status of the server cert, they can use OCSP (if your CA supports it). I don't know if there is widespread support for OCSP - mozilla/firefox/thunderbird supports it, but I don't know about other client apps. OCSP is not good for server apps which need to validate client certs, especially if under any sort of load at all. For this, the server really needs the CRL. Our mod_nss author was also working on an Apache module which would automatically pull down CRLs from the CA using http(s) or ldap(s). We might be able to do something like that for Fedora DS. We proposed it as a feature a couple of years ago, but it was shot down because no customer asked for it.
__________________________________________________ Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
