Hi Dmitrij, Thanks for you suggestions.
On 24/04/09 17:03, Dmitrij Mironov wrote: > David O'Callaghan wrote: >> Two questions on the X509 access control login type: >> >> 1) Why does it require signing the session cookie, rather than simply >> taking the client cert from the SSL session? >> >> > A think this can be a problem it certain cases. I.e. user can have two > certs - one for signing and another for authentication. In OpenCA x509 > access control scenario not authentication, but signing certificate will > be used. Correct me if I'm wrong, but I believe, that using signing > certificate for authentication is bad idea. That was part of what motivated my question, but also there is the inconvenience of adding another layer on top of the existing browser mechanism for "logging in" to the security token. Can one of the developers comment: is this needed for cross-browser compatibility or something? Is it not possible to use the client's peer certificate that is available in the SSL context? >> 2) How are the roles mapped from the certificates? In my test set up it >> seems that any "User" can effectively log in to the RA component and >> sign CSRs! >> > You can set up your Apache server to grant access only for specific > certificates (with specific "O=" and/or "OU="). I suggest to use > separate CA for issuing administrative (for internal use only) > certificates. Then you configure Apache to grant access to RA/CA web > interface for certificates from this administrative CA and that's it, no > users in RA interface. Thanks. I thought there would be some easy mapping between the Roles (or profiles) used for issuing certificates and the authorization roles. Kind regards, David ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
