[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Working on a security best practices document
- Subject: Re: Working on a security best practices document
- From: Michael Richardson <..hidden..>
- Date: Sat, 30 Jan 2010 17:31:51 -0500
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Chris" == Chris Travers <..hidden..> writes:
Chris> so we can check to see that the user on the cert is the same
Chris> user as the provided credentials. LDAP might be needed to
Chris> make that work cleanly though....
>> LDAP is not necessary or important. Apache will provide a DN,
>> etc. to the script. see
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, and the
>> SSL_CLIENT_* variables.
Chris> I was thinking more along the lines of authenticating that
Chris> the certificate maps to a specific user, short of requiring
Chris> the username in the cert. LDAP might make it easier to avoid
LDAP is neutral to the problem. It's just a database with a poor
interface, and an inflexible schema.
We have a much more sophicated database :-)
You can map the certificate by DN (no matter what is there), by just
adding a column to the users table. Or you can be more ssh/spki-like
and just use the sha1 of the public key in the certificate. There are
pros and cons of each method.
>> But, in the situation where the browser is on the corporate
>> intranet, one hop from the server, or in my personal company
>> case, where the whole thing is "localhost", it wasn't privacy
>> that was the problem.
Chris> Ok, there is a specific issue with 1.3 that I think requires
Chris> SSL on the corporate intranet in order to be effective.
Chris> The basic issue is that we use internal db accounts so we
Chris> have to obtain credentials from the web browser we can use to
Chris> authenticate against the db. Currently the only way
Chris> supported to do this is via HTTP Basic Auth, though Kerberos
Chris> could be supported for intranet environments with a little
I'm not sure I understand how you leap from HTTP-Basic-Auth-is-bad
(which I agree, and which SSL "solves"), to needing Kerberos, unless
what you are trying to do is to integrate against ActiveDirectory.
HTTP Digest Authentication is the obvious "better choice", and
recently some people have done some work such that you do not need to
store the passwords in the clear to make digest authentication work.
Chris> What about a new schema with VIEWs that are in 2nf?
okay... and then dump that?
>> This is as much about producing good audit records as it is to
>> permit recovery from data corruption that may have occured in the
>> Has anyone considered having an ledgersmb mini-conference either
>> independently, or as a summit of another
>> conference... e.g. PGcon, OLS, onlinux, OScon, ???
Chris> Not yet. Maybe we will get there though :-) Efforts in
Chris> helping with such things is appreciated.
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] ..hidden.. http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----