Christopher Paul wrote: >> The point of a certificate-based authentication system is not to have to >> implement authentication rules for each and every individual user. An LDAP >> server should only trust certificates issued by a single CA; that CA should >> only >> be issuing certs to valid users. Ideally, the LDAP server should be the CA, >> which is what slapo-autoca is designed for. > > Any peer in a TLS session that does validation seems to have three things to > validate: > 1. the x.509 subject name matching the name as known or claimed by the peer
The above applies to clients validating servers. TLS is client-server, not peer-to-peer. Clients with certs assert their name to servers, and if the server trusts the cert issuer then it accepts the name that the client asserted. > 2. the signing authority > 3. the validity date > > Are we saying that the LDAP server should only care about #2? The date is important too of course. And revocation checks too, but they aren't relevant to this conversation. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
