CAcert Code Development list.

[Bernhard Froehlich <ted AT convey.de>]

Ian G (Audit) schrieb:
> On 8/4/09 16:09, Philipp Gühring wrote:
> > Hi Martin,
> >
> > > should i be able to login by client-certificate?
> >
> > No.
> > The test-system had started with an empty database (due to privacy
> > reasons, we did not copy any user-data from the production system),
> > so you can only login to the testsystem with a client-certificate that
> > was issued by the testsystem.
>
>
> Um.  Off original topic:  And what does it do with a CAcert signed 
> certificate that *wasn't* issued by the system?
>
> The basic point of certificates was that we could rely on the signed 
> data on the basis of only the signatures chain, and not have to store 
> things.
>
> Obviously the issuer also has the luxury of storing things ... so I 
> can see the merit in the above notion of only accepting issued certs, 
> an advantage that is unavailable to others.
>
> I'm just wondering what happens in the "impossible" case :)
IIRC currently the certificate login is implemented by looking up in the 
database whether the certificate is in the list of issued and 
not-revoked certificates, so it works only with certificates issued by 
the site itself.

Surely this is not the "usual" way of doing a certificate login. The 
usual way would be to extract the mail adress from the certificate and 
look up the mail adress in the database. This would work independently 
from the issuing site (and might accept certificates of other issuers 
too if Apache would be configured accordingly), but I'm afraid that 
currently it's not the right time to do such a quite security sensitive 
change in the main system. And I'd like to avoid special code branches 
for the test system!

Kind regards
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature