Hi,
On 03/01/2024 23:28, Gert Doering wrote:
Hi,
On Wed, Jan 03, 2024 at 10:45:50PM +0100, Antonio Quartulli wrote:
On 03/01/2024 20:03, Gert Doering wrote:
Not sure I can come up with a good attack scenario
in an OpenVPN PKI scenario where the CA would be stopped from doing
something nasty by doing the full .csr dance (because it could still just
create arbitrary .key/.crt on its own, thus getting access to the VPN
server).
I think the .csr dance would prevent the CA from impersonating well known
users with a well known certificate.
Only if you verify that "well known certifificate" with something like
peer-fingerprint - taking into account bits of the pubkey/privkey that
are not part of the actual "CA signing" thing (because everything else,
like "CN=important user", the CA can sign as it wants...)
Agreed!
I left the implementation of "well known" to the reader :-)
The certificate is not just its CN.
Cheers,
gert
--
Antonio Quartulli
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
