Re: BUG #5895: Ability to match more than just CN in client certificate
| От | Robert Haas |
|---|---|
| Тема | Re: BUG #5895: Ability to match more than just CN in client certificate |
| Дата | |
| Msg-id | AANLkTimb6anuyoKjEH7y_e+xkLX-tQKjDZEa59b6TFBJ@mail.gmail.com обсуждение исходный текст |
| Ответ на | BUG #5895: Ability to match more than just CN in client certificate ("Christopher Head" <chris2k01@hotmail.com>) |
| Ответы |
Re: BUG #5895: Ability to match more than just CN in client
certificate
|
| Список | pgsql-bugs |
On Sun, Feb 20, 2011 at 5:30 PM, Christopher Head <chris2k01@hotmail.com> w= rote: > > The following bug has been logged online: > > Bug reference: =A0 =A0 =A05895 > Logged by: =A0 =A0 =A0 =A0 =A0Christopher Head > Email address: =A0 =A0 =A0chris2k01@hotmail.com > PostgreSQL version: 9.0.3 > Operating system: =A0 Linux amd64 > Description: =A0 =A0 =A0 =A0Ability to match more than just CN in client = certificate > Details: > > This is a feature request/wishlist, not a bug. Right now, when using clie= nt > certificates over SSL for authentication, the username map maps from the > Subject Common Name field in the certificate to a username in the databas= e. > It would be nice if matches could be done on a few other fields in the > certificate. For example, my name is not particularly unusual, so it's > reasonable that someone else in the world might (and probably does) have = the > same name. That doesn't mean I want to give that person access to my > database, even if they also get a certificate from e.g. cacert.org! > > A few fields to match on that would pretty much instantly close this hole > would be e-mail address and certificate serial number. While the e-mail > address suggestion could be generalized to match an arbitrary subset of t= he > subject's distinguished name fields (e.g. write something like > /O=3DFooOrg/CN=3DChristopher Head/ to require that both fields must be pr= esent > with the specified values), matching certificate serial number would be > slightly different as the serial number is not part of the distinguished > name. It would probably be the most secure field to match on, however, as= no > CA will ever issue two certificates with the same serial number. E-mail > address would be a close second as an address can only be held by one > person, though it relies on the CA being able to verify the legitimate ow= ner > of the address. It seems like there are a lot of possible combinations here that could be useful, so we'd want something that allowed a fairly flexible specification of what to match. Is this a problem you're interested in working on (i.e. contributing code)? --=20 Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-bugs по дате отправления: