Hi Alvaro,
On Thu, 25 Aug 2011 16:45:40 +0200, Alvaro Lopez Ortega
<[email protected]> wrote:
Hello Hugo,
Thanks for the clarification.
On Thu, Aug 25, 2011 at 4:12 PM, Hugo Vazquez Carames
<[email protected]>wrote:
Even if the client -a browser- is able to do it's own OCSP queries,
validation of the client certificate should be done always at the server
side, for security reasons -for example someone trying to use a revoked
client certificate-. You can to it at the CGI level, but it will make
life
easier to have the option of configuring it at the Cherokee -web server-
level, like Apache does in their last server version.
Well, in my understanding, it should be implement as an uWSGI, FastCGI or
SCGI application. The feature is too specific to be part of a general
purpose Web server my default.
Do you really think it is too specific? OCSP validation is a core part of
the trust chain of client certificate validation... Anyway, I deeply
respect your opinion.
Think about the increasing number of countries using Electronic National
Identity Cards, and how you can help building a more secure web
environment...
Does Cherokee allow -or will allow- to configure an OCSP responder to
validate client certificates?
It is certainly not in the roadmap. Actually, I can see the value of
having
a uWSGI/FastCGI app, but I'm not even sure this is something that should
be
built-in the web server. If we had the app though, we could provide a
Wizard
to auto-configure it.
;-)
--
---------------------
Hugo Vázquez Caramés
"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)
"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)
"Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
(N. Bonaparte)
========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: [email protected]
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es
Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje
This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
