Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #5895: Ability to match more than just CN in client certificate - Mailing list pgsql-bugs

From Robert Haas
Subject Re: BUG #5895: Ability to match more than just CN in client certificate
Date
Msg-id AANLkTimb6anuyoKjEH7y_e+xkLX-tQKjDZEa59b6TFBJ@mail.gmail.com
Whole thread Raw
In response to BUG #5895: Ability to match more than just CN in client certificate  ("Christopher Head" <chris2k01@hotmail.com>)
Responses Re: BUG #5895: Ability to match more than just CN in client certificate  (Christopher Head <chris2k01@hotmail.com>)
List pgsql-bugs
Tree view 
On Sun, Feb 20, 2011 at 5:30 PM, Christopher Head <chris2k01@hotmail.com> w=
rote:
>
> The following bug has been logged online:
>
> Bug reference: =A0 =A0 =A05895
> Logged by: =A0 =A0 =A0 =A0 =A0Christopher Head
> Email address: =A0 =A0 =A0chris2k01@hotmail.com
> PostgreSQL version: 9.0.3
> Operating system: =A0 Linux amd64
> Description: =A0 =A0 =A0 =A0Ability to match more than just CN in client =
certificate
> Details:
>
> This is a feature request/wishlist, not a bug. Right now, when using clie=
nt
> certificates over SSL for authentication, the username map maps from the
> Subject Common Name field in the certificate to a username in the databas=
e.
> It would be nice if matches could be done on a few other fields in the
> certificate. For example, my name is not particularly unusual, so it's
> reasonable that someone else in the world might (and probably does) have =
the
> same name. That doesn't mean I want to give that person access to my
> database, even if they also get a certificate from e.g. cacert.org!
>
> A few fields to match on that would pretty much instantly close this hole
> would be e-mail address and certificate serial number. While the e-mail
> address suggestion could be generalized to match an arbitrary subset of t=
he
> subject's distinguished name fields (e.g. write something like
> /O=3DFooOrg/CN=3DChristopher Head/ to require that both fields must be pr=
esent
> with the specified values), matching certificate serial number would be
> slightly different as the serial number is not part of the distinguished
> name. It would probably be the most secure field to match on, however, as=
 no
> CA will ever issue two certificates with the same serial number. E-mail
> address would be a close second as an address can only be held by one
> person, though it relies on the CA being able to verify the legitimate ow=
ner
> of the address.

It seems like there are a lot of possible combinations here that could
be useful, so we'd want something that allowed a fairly flexible
specification of what to match.

Is this a problem you're interested in working on (i.e. contributing code)?

--=20
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgsql-bugs by date:

Previous
From: Robert Haas
Date:
Subject: Re: BUG #5874: pg_dumpall CREATE DATABASE statements 'missing' parameters
Next
From: Robert Haas
Date:
Subject: Re: Corrupted index on 9.0.3 streaming hot standby