[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working on a security best practices document

Hash: SHA1

>>>>> "Chris" == Chris Travers <..hidden..> writes:
    Chris> so we can check to see that the user on the cert is the same
    Chris> user as the provided credentials.  LDAP might be needed to
    Chris> make that work cleanly though....
    >> LDAP is not necessary or important.  Apache will provide a DN,
    >> etc. to the script.  see
    >> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, and the
    >> SSL_CLIENT_* variables.

    Chris> I was thinking more along the lines of authenticating that
    Chris> the certificate maps to a specific user, short of requiring
    Chris> the username in the cert.  LDAP might make it easier to avoid
    Chris> problems.

LDAP is neutral to the problem.  It's just a database with a poor
interface, and an inflexible schema.
We have a much more sophicated database :-)

You can map the certificate by DN (no matter what is there), by just
adding a column to the users table.  Or you can be more ssh/spki-like
and just use the sha1 of the public key in the certificate.  There are
pros and cons of each method.

    >> But, in the situation where the browser is on the corporate
    >> intranet, one hop from the server, or in my personal company
    >> case, where the whole thing is "localhost", it wasn't privacy
    >> that was the problem.

    Chris> Ok, there is a specific issue with 1.3 that I think requires
    Chris> SSL on the corporate intranet in order to be effective.

    Chris> The basic issue is that we use internal db accounts so we
    Chris> have to obtain credentials from the web browser we can use to
    Chris> authenticate against the db.  Currently the only way
    Chris> supported to do this is via HTTP Basic Auth, though Kerberos
    Chris> could be supported for intranet environments with a little
    Chris> effort.

  I'm not sure I understand how you leap from HTTP-Basic-Auth-is-bad
(which I agree, and which SSL "solves"), to needing Kerberos, unless
what you are trying to do is to integrate against ActiveDirectory.

  HTTP Digest Authentication is the obvious "better choice", and
recently some people have done some work such that you do not need to
store the passwords in the clear to make digest authentication work.

    Chris> What about a new schema with VIEWs that are in 2nf?

  okay... and then dump that?
    >> This is as much about producing good audit records as it is to
    >> permit recovery from data corruption that may have occured in the
    >> past...
    >> Has anyone considered having an ledgersmb mini-conference either
    >> independently, or as a summit of another
    >> conference... e.g. PGcon, OLS, onlinux, OScon, ???

    Chris> Not yet.  Maybe we will get there though :-) Efforts in
    Chris> helping with such things is appreciated.

  Next email.

- -- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] ..hidden.. http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Finger me for keys