-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 12:55, Alon Bar-Lev wrote:
> On Wed, May 16, 2012 at 1:46 PM, David Sommerseth
> <openvpn.l...@topphemmelig.net> wrote:
>> On 16/05/12 12:37, Alon Bar-Lev wrote:
>>> On Wed, May 16, 2012 at 1:27 PM, David Sommerseth
>>> <openvpn.l...@topphemmelig.net> wrote:
>>>> On 16/05/12 09:17, Alon Bar-Lev wrote:
>>>>> Hello David,
[...snip...]
>>>>> Can you please explain what this plugin is and why just
>>>>> remove the conditional?
>>>> 
>>>> You can find more info about the plug-in here: 
>>>> http://www.eurephia.net/
>>>> 
>>>> Basically, it's a username/password authentication plug-in
>>>> which also matches a user account up against a certificate
>>>> too (plus some extra features too as well).  The
>>>> 'tls_digest_%d' environment variable is used to get better
>>>> data when matching certificates information against the
>>>> database.
[...snip...]
> 
> hmmm... why not to digest only end certificate? this what you
> actually need right?

For the most common setup where you only have a single CA and the
client cert, the tls_digest_0 env. variable is the important factor.

But some users might do some tricks with certificate chains, using CA
and sub-CA(s), which a plug-in/script then can better validate if it
has all the levels.

For example, the firewall profiles for each user can be different
based on which kind of device you're connecting from (workstation,
laptop, tablet, etc) - and each group of devices can have certificates
issued by different sub-CAs.  But the end-user have only one
username/password to care about (the certificates/keys are distributed
by the enterprise in their preferred way to their devices), and based
on the certificate chain, the network access changes.

This way, if one sub-CA is removed/disabled from the eurephia
database, you can easily remove access from a complete group.  Maybe
that's something you only want to do temporarily, so issuing a CRL for
a sub-CA would be too extreme.  Such setups are more interesting for
enterprises, though.  But key point is to have a fine-grained control
of all the VPN accesses.

The thoughts behind eurephia has been to provide a runtime modularity
and being as flexible as possible; not locking the users towards only
a limited kind of setups.

Granted, all the certificate-chain support isn't implemented in
eurephia yet, but it's on the TODO list.


kind regards,

David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+zkWQACgkQDC186MBRfrr2iQCgjkAJX4l0KNkrZjcChAws6+Dc
5mAAn0Wki7i0ZiMcsNL6W6npWtw7kqW5
=Gomp
-----END PGP SIGNATURE-----

Reply via email to