Re: [Concepts]: cn and userCertificate vs userPrincipalName
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/01/05
- Previous message: Rob S: "Query Process not showing users when not Admin"
- In reply to: S. Pidgorny
: "[Concepts]: cn and userCertificate vs userPrincipalName" - Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: [Concepts]: cn and userCertificate vs userPrincipalName"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: [Concepts]: cn and userCertificate vs userPrincipalName"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Jul 2005 08:09:27 -0700
Hi Slav,
Interesting exploration. I am agreeing with your comment that
"published certificates" are not for authentication, but I am at
a loss as to why you made the comment. You mean that the
VPN auth within the SSL connection is not using a private
cert of the individual - which elsewhere all you said seemed
to indicate, that the CN base lookup to compare cert was
redundant, etc..
??
Have you yet commented to them the issue with using CN
instead of guaranteed unique as UPN ? Is the lookup really
LDAP:// rather than GC:// so it actually is domain limited
and hence unique?
-- Roger Abell Microsoft MVP (Windows Security) "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message news:%23auROQifFHA.572@TK2MSFTNGP15.phx.gbl... > G'day, > > Today I was testing a SSL VPN solution from Aventail. It integrates with > Windows PKI and Active Directory quite well - you go to the Web portal, use > certificate to authenticate (PKI trust is verified at this stage), then the > server is using CN attribute for LDAP lookup, reads userCertificate blob to > match the presented certificate with one published for the user in Active > Directory, then reads memberOf for group information and continues on to > authorisations. > > I see conceptual problems with this scheme. First of all, I'd prefer to have > flixibility to use userPrincipalName for directory lookup, as there could be > multiple users with same CNs in the directory. Secondly, I don't see much > point to match the certificate blob, as cryptographic trust is already > established and authenticity of the attributes is not a question; plus, > published certificates aren't for authentication but for address book/s?MIME > type of applications. > > However I should stress that the problems are definitely not security > exposure but rather a kind of inconvenience. > > I'd appreciate comments and/or thoughts > > Cheers > > > -- > Svyatoslav Pidgorny, MS MVP - Security, MCSE > -= F1 is the key =- > >
- Previous message: Rob S: "Query Process not showing users when not Admin"
- In reply to: S. Pidgorny
: "[Concepts]: cn and userCertificate vs userPrincipalName" - Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: [Concepts]: cn and userCertificate vs userPrincipalName"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: [Concepts]: cn and userCertificate vs userPrincipalName"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
