Posted by roberto.ch on September 18, 2008 at 9:16pm
Jump to:
| Project: | Certificate login |
| Version: | 6.x-1.0 |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
hi
for the security, it needs the possibility to accept only certificates of a certain authority.
is this planned?
saluti
roberto
Comments
#1
Wouldn't the server only accept certificates of a certain authority anyway? If not, can you explain how I should go about doing that? Thanks, Moses
#2
i understand english very,very bad...
I don't understand right, which you think.
my question: which authority is checked?
the official authorities like thawte?
without authority-check, everyone can make
selfsigned certifikate with the name of
others.
what I mean, I produce authority and sign
the csr of the user. only these certificates
should be accepted.
like apaches mod-ssl SSLCACertificateFile
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
saluti
roberto
#3
Hi Roberto,
I'm not sure how I would do it. I don't know enough about how certificates work. I can't seem to sign in on my own server without the certificate, though, so I think I'm safe. Can you show me how the code would work to verify the authority?
Moses
#4
I've looked into this some more. If a server accepts certificates from more than one authority this could create a security vulnerability. I will fix this in the 6.x version at some point.
#5