On 11/01/2013 12:12 PM, Howard Chu wrote:
I would reject such an ITS. Cert-pinning is an issue for clients that have a very large collection of trusted CAs. The Admin Guide clearly states that servers should only trust a single CA - the CA that signed its own certs and the certs of its clients. In that case, no one else can issue a valid cert with the same subjectDN.
Thanks to everyone for their comments. Greatly appreciated and confirmed some of my suspicions about trying to use certs as an actual 2nd factor.
So, was I right in trying to use ~/.ldaprc to try to force ldapsearch (for instance) to use a cert for authentication? Running a sniffer and looking at the traffic, it doesn't look like ldapsearch is ever doing anything beyond an anonymous bind unless I specify -D and -W in which case it's binding and authenticating as normal rather than using a cert.
I think the notion of using a client cert as a 2nd factor will get dropped (at least for now - grin) but my curiosity is piqued enough that I probably will still tinker with getting slapd to validate a client cert (just for my own edjimication) and want to be sure I'm actually correctly getting the client to use the client cert. :-)
Brent