[Freeipa-devel] Multiple CA certificates in LDAP, questions
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Sep 9 20:10:29 UTC 2013
I would strongly argue for a separate CA list for PKINIT (service or workstation login) vice HTTP (web browsing of semi-unknown sites). The trust models are fundamentally different.
In the former case you are saying who is allowed to issue (conceivably fraudulent) client certs that allow (conceivably fraudulent) users to access local services or workstations. In my case I have PIV cards with certs issued by one of a number of US Gov organizations that mostly trace to the Federal Bridge. Allowing certs issued by a hostile foreign government is clearly a very bad idea.
In the latter case you are probably dealing with the a general desire to know that there is some attestation by someone that the web site you are visiting is actually what you intended. You may be visiting the web site of an agency of a hostile foreign government, in which case that government's CA is exactly what you want to "trust". You might even want a control that prohibits any "friendly" CA from issuing certs for that web site.
Large lists of trusted CAs represent attack surface, however convenient they may make some things. Whatever the defaults are, we need tools that allow us to model our actual trust for the specific operations we are performing. In an Enterprise environment accessing local services should only be allowed if they use the corresponding local CA.
On Sep 9, 2013, at 7:02 AM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Mon, Sep 09, 2013 at 11:17:02AM +0200, Jan Cholasta wrote:
>> Should each IPA service (LDAP, HTTP, PKINIT) have its own
>> distinctive set of trusted CAs, or is using one set for everything
>> good enough? Using distinctive sets would allow granular control
>> over what CA is trusted for what service (e.g. trust CA1 to issue
>> certificates for LDAP and HTTP, but trust CA2 only to issue
>> certificates for HTTP), but I'm not sure how useful that would be in
>> the real world.
>
> I'd expect it to depend heavily on whether or not you're chaining up to
> an external CA. Personally, I'd very much want to keep a different set
> of trust anchors for PKINIT in that situation.
>
> HTH,
>
> Nalin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Freeipa-devel
mailing list