[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

To: OpenLDAP-devel@openldap.org
Subject: Re: Storing TLS credentials in the directory
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 11 Apr 2017 13:12:17 -0700
Content-disposition: inline
In-reply-to: <WM!f39a222cadbe8a5144e759b489f64407bc70759aef74b4ddb4562e1cecfc567a66efebefe31f5b3e13e68e167dab4e1c!@mailstronghold-1.zmailcloud.com>
References: <E1cx31W-0005aD-M5@euler.openldap.org> <WM!4ba83b2090d2bd1da4412c283bf93e9733cc0be005cc6e1eea16569b1a5755a16c137c899e1426c4e700614ef0d86a6e!@mailstronghold-2.zmailcloud.com> <faee960d-3967-2eed-b6ec-d2f8e0b4fdc6@symas.com> <9444E7C8-A0A8-464B-9BAA-B057162CF14F@bayour.com> <BE9CD1C3-B433-453A-92EE-258046EA3796@bayour.com> <WM!72c4bd8a502cb74b06f81b6b79f016b392e96533e633776189e8f3d79378f724d1b0950ee046f711f5b3fe60c82ab046!@mailstronghold-1.zmailcloud.com> <3b82bb6c-d295-586a-97ae-1498b74062bd@symas.com> <7A069EFE-53C6-4EDC-98DC-F2D9F53F2A18@bayour.com> <WM!f39622754a54a322cd4b5d4c797e2b29ba134ab8db60fd17eed0c572861319bf9e5b6654563372ab175acd66972902c7!@mailstronghold-2.zmailcloud.com> <223d2e96-5b9f-c069-9bbc-2e921a15c287@symas.com> <8d6f6358-1488-6bdf-607e-4c24b9ad99a6@stroeder.com> <WM!70ba72d390fb41c20879944e0f93e665f45bf63889cc450c22a3c4912a274ce48f53f6f605107cc117da806211161f6f!@mailstronghold-2.zmailcloud.com> <22ae9726-7e7f-2c8a-ffa4-8bae1dff70ae@symas.com> <WM!f39a222cadbe8a5144e759b489f64407bc70759aef74b4ddb4562e1cecfc567a66efebefe31f5b3e13e68e167dab4e1c!@mailstronghold-1.zmailcloud.com>

--On Sunday, April 09, 2017 9:57 PM +0100 Howard Chu <hyc@symas.com> wrote:

You cannot write a decent design from scratch. It's important to have a
baseline of functionality to get an idea of scope. The current overlay
provides that baseline.

Some immediate things I see after reading the man page for the currentautoca are:

a) Not going to work well for databases that use "" as a suffix, and thensupport multiple domains beneath that (Zimbra had many customers that didthis. One customer handled 10k unique top level domains.)

b) Related to the above, importing CA's for those customer domains wouldfail (because they aren't located in the suffix)

c) While there is an option to specify the keysize, there is no option tospecify the digest to use. There should be a note on what the defaultdigest is, and an option to use other digests. With Zimbra, we had adefault of sha256, and options of ripemd160, sha, sha1, sha224, sha256,sha384, sha512

d) I don't see a mechanism for creating star certs, which can be fairlycritical. I also don't see a mechanism for doing multiple DNS names, whichcan be critical for a server with several CNAMES names.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>
- Re: Storing TLS credentials in the directory
  - From: Michael Ströder <michael@stroeder.com>
- Re: Storing TLS credentials in the directory
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Storing TLS credentials in the directory
Next by Date: Re: Storing TLS credentials in the directory
Index(es):
- Chronological
- Thread