RFC: retrieve cacerts from remote server

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: retrieve cacerts from remote server

Jonsy (teleline)
Not sure on implementing this feature...

Actually pam_pkcs11 uses hash dir in X509_LOOKUP_* functions
to retrieve CA certs and locally stored CRL's.
I'm changing the code to allow use of either cacert files or
hash directories.

But I've received several mails on people using pam_pkcs11:
they want to retrieve cacert file from a centralized server,
instead of distribute it to every client in the network

There is not an easy way (i've not found code :-) to do it.
I'll need to choose one of this options:
1- Retrieve cacert file, store it and use normal X509_LOOKUP_load_file()
2- Implement a complete X509_STORE Lookup method for using remote files

Before starting, I'll agree opinions about real need of support
remote cacert files for cert verify operation. My feeling is that
a local cacert file / hash dir is enought

Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: retrieve cacerts from remote server

Andreas Jellinghaus-2
Hi Juan,

no idea how it is best implemented. If you store the certificate
localy, will you overwrite it each time? (bad) Or not update it
(also bad). So not storing it localy looks better to me, or
storing it in a file marked "cache" or something.

And of course I wonder about security: That way you use a networked
authentication server without any chance to check if that server
is the one you want to talk with. An attacker could redirect
the network connection and thus return whatever he wants as ca
cert and authentication information.
But I guess people are willing to pay that price, so it is ok
to implement it, maybe with a security warning.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: RFC: retrieve cacerts from remote server

Jonsy (teleline)
El jue, 22-12-2005 a las 12:58 +0100, Andreas Jellinghaus escribió:
> Hi Juan,
[....]
> And of course I wonder about security: That way you use a networked
> authentication server without any chance to check if that server
> is the one you want to talk with. An attacker could redirect
> the network connection and thus return whatever he wants as ca
> cert and authentication information.
> But I guess people are willing to pay that price, so it is ok
> to implement it, maybe with a security warning.
>

I agree: remote query for CACerts is a security risk.
It's better push it from server (scp works fine), instead
let client to ask for cacert file

BTW:
Last changes I've sent to pam_pkcs11 svn allows use of
either hash-link directory or a single cacert file.
I can only test it with pem cacert files, so little
help is needed to full testing...

Next job is write pam_sm_password() routines and update docs
to get pam_pkcs11 ready for a new 0.6 release.

Happy Christmasts
Juan Antonio


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment