| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Christopher Head <chris2k01(at)hotmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #5895: Ability to match more than just CN in client certificate |
| Date: | 2011-03-03 15:20:06 |
| Message-ID: | AANLkTimb6anuyoKjEH7y_e+xkLX-tQKjDZEa59b6TFBJ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Sun, Feb 20, 2011 at 5:30 PM, Christopher Head <chris2k01(at)hotmail(dot)com> wrote:
>
> The following bug has been logged online:
>
> Bug reference: 5895
> Logged by: Christopher Head
> Email address: chris2k01(at)hotmail(dot)com
> PostgreSQL version: 9.0.3
> Operating system: Linux amd64
> Description: Ability to match more than just CN in client certificate
> Details:
>
> This is a feature request/wishlist, not a bug. Right now, when using client
> certificates over SSL for authentication, the username map maps from the
> Subject Common Name field in the certificate to a username in the database.
> It would be nice if matches could be done on a few other fields in the
> certificate. For example, my name is not particularly unusual, so it's
> reasonable that someone else in the world might (and probably does) have the
> same name. That doesn't mean I want to give that person access to my
> database, even if they also get a certificate from e.g. cacert.org!
>
> A few fields to match on that would pretty much instantly close this hole
> would be e-mail address and certificate serial number. While the e-mail
> address suggestion could be generalized to match an arbitrary subset of the
> subject's distinguished name fields (e.g. write something like
> /O=FooOrg/CN=Christopher Head/ to require that both fields must be present
> with the specified values), matching certificate serial number would be
> slightly different as the serial number is not part of the distinguished
> name. It would probably be the most secure field to match on, however, as no
> CA will ever issue two certificates with the same serial number. E-mail
> address would be a close second as an address can only be held by one
> person, though it relies on the CA being able to verify the legitimate owner
> of the address.
It seems like there are a lot of possible combinations here that could
be useful, so we'd want something that allowed a fairly flexible
specification of what to match.
Is this a problem you're interested in working on (i.e. contributing code)?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua McDougall | 2011-03-03 15:20:59 | BUG #5911: pg_notify() function only works when channel name is lower case |
| Previous Message | Robert Haas | 2011-03-03 15:17:39 | Re: BUG #5874: pg_dumpall CREATE DATABASE statements 'missing' parameters |