-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/19/2013 01:46 PM, Stephen Frost wrote: > If you're using a public CA as your > root, then you need to make sure you know how to ensure only the right > people have access, typically be storing in the mapping table the unique > ID issued by the CA for your users. Yep, in most applications I've seen you usually store a list of authorized SubjectDNs or you just use your own self-signed root and issue certs from it. I'm pretty sure I've seen tools match on part of the DN, like the organisation field, but since I can't remember *where* I'm not sure that's all that useful. > It's very rare, from what I've > seen, for public CAs to issue intermediate CAs to organizations to > generate their own certs off of, so I'm a bit confused about how we got > to this point. I don't know about "very rare" but it's certainly not common outside very large orgs. I tried to find a CA that'd let me issue intermediate client certs for 2ndQuadrant but found nobody that'd do it for certificate volumes less than several thousand new certs a month. I'd been using intermediate CAs based on my own self-signed CA root quite heavily in infrastructure elsewhere I was rather surprised that the same sort of thing wasn't easily available for public CAs. I get the impression it's fairly common in internal infrastructure, especially with the cert management tools offered by Microsoft Active Directory servers, but have no strong information to substantiate this. Nor do I know whether we need to support this mode of operation. BTW, This discussion has made me realise that I know less about SSL/TLS and X.509 certificate extensions than I'd like to when dealing with this topic. In particular, I don't know whether a CA can issue an intermediate CA with extensions that restrict it to validly signing only host certificates for hosts under a particular domain or user-identifying client certs with CNs under a particular organisation - and whether, if such extensions exist, applications actually check them when verifying the certificate trust chain. > What I *have* seen is cross-root-cert trusts (known as the Federal > Bridge in the US government), but that's quite a different thing as you > have multiple self-signed root CAs involved and need to know how to > properly traverse between them based on the trusts which have been > built. Ugh, that's not something I've ever had the ... privilege ... to deal with before. > > I'm no longer convinced that this really makes sense and I'm a bit > worried about the simple authentication issue which I thought was at the > heart of this concern. Is there anything there that you see as being an > issue with what we're doing currently..? Only for using intermediate certs as authorization roots, and it may be reasonable to say "we don't support that, use an authorized DN list". Or come up with a better solution like checking attributes of the SubjectDN for authorization purposes after validating the signature chain to prove authenticity. > I do think we want to figure out a way to improve our mapping table to > be able to use more than just the CN, since that can be repeated in > multiple certs issued from a root CA, particularly when there are > intermediary CAs. One option might be to provide a way to map against a > specific issuing CA, or to a CA in the chain, but there's a lot of risk > to that due to CA churn (in large setups, you're going to have lots of > users who have certs issued from a bunch of different CAs, and those > user certs will roll to new CAs as new badges are issued, for > example..). It can get to be a real nightmare to try and keep up with > all of the changes at that level. Certificate fingerprint? Easily obtained via most client UIs and via openssl x509 -in cert.crt -fingerprint, eg: SHA1 Fingerprint=DA:03:9B:FB:81:69:AB:48:64:3D:35:B4:90:56:CF:F1:24:FE:89:B0 However, if I was managing a group large enough to want cert auth I'd want to be able to specify something like: SubjectDNMatches: C=*, ST=*, L=*, O=MyCompany, CN=* ... in which case there'd no longer be a need to restrict trust to intermediate CAs, you'd just trust the root and restrict the authorized SubjectDNs. If you don't trust your own root CA not to issue certs in your company's name to 3rd parties you shouldn't be using it. (Whether it's actually sane to trust a CA is another argument). - -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRSAJZAAoJELBXNkqjr+S2JrcIALZebfEW4FbfFI6WOs6qDutr tz486SlnPV+cf29ex242evSUgNQTz38uFKMIs9EIRfe7sVKz3whn0MARmQY9dKph CusbXNqcPIBbZIZM1hObaKOnMvNnGk5sxnRh4iKjzcMjqCULG5LVX7bXAXn3PcjA u3lYlNWONWdmz708QOCgvpui4wEv5+bVuik/CnRdPu+BWAcndJHUMuxZMxkUC/rs 4OjLlEg6BPiXRgIKTFBNsa0vvCyVBUd5ri0RCtxUr5T/L/ORWdM+Ic0nqCEPTqyI EOtDKuNZUqEnsCOacwulwRDxQXnUoU+6zBHud8al32+PeWLKHLAIcFEiYYSQUjI= =Ba3M -----END PGP SIGNATURE----- -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general