[Cryptography] Mutually authenticated TLS

Viktor Dukhovni cryptography at dukhovni.org
Mon Mar 5 21:22:59 EST 2018



> On Mar 5, 2018, at 6:50 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> 
> I'm working with someone who is issuing X.509 client-side certificates
> used for authenticating against a REST-base web service.
> 
> That person is says that the server code for the web service is only
> checking for a specific OU in the client cert's DN to do the
> authentication. (They're are validating the entire cert chain and have
> an internal CA that has to issue the cert.)

If the internal CA in question only grants certificates for names in
this OU to clients authorized to use the application in question, and
if revocation is considered not important (e.g. short-lived certs), or
CRLs are being checked. Then there's nothing wrong with this approach.

> I tried to explain that
> ideally, the entire client cert or at least it's public key should be
> used for the authentication process, but short of that, at least use
> the full, canonicalized DN.

TLS makes sure that the public key in the certificate signs the client
key exchange.  So the key is always checked.  The CA binds the key to
the OU.  So this is all fine.  The full DN has little authentication
value if all clients get the same access level.  It might be useful
in an audit trail, but is not necessarily needed for access control.

> I find it rather odd that if they are going to use only a portion of
> the DN, that they wouldn't at least use the CN rather than some OU and
> explained my concern about having two different DNs with the same OU
> (which is supposed to represent a specific client application invoking
> the web service).

Since the server was not looking to communicate with a specific client,
but rather *some* client started communicating with the server, there's
little to be gained by checking the "CN" (against what exactly?) if all
possible "CN" values get the same access.

> E.g., one DN containing OU=abc,OU=applName and the
> other containing only OU=applName and otherwise the same. Because the
> server is only looking if the DN contains 'OU=applName', then the
> [supposedly unauthorized] cert with the DN containing
> 'OU=abc,OU=applName' could be used to authenticate as well, even
> though only the one with a single 'OU-applName' was intended to be
> allowed.

But the access control token is the "OU"...

> (Fortunately, the intermediate CA is manually vetting all
> requests and there's a very small number of clients certs issues so
> they claim they would catch this by their manual vetting process, but
> still it leaves me feeling a bit uneasy.)

They're right.

> They are telling me that what *they* are doing is "standard practice"
> and what I was proposing (to minimally at least check the full,
> canonicalized DN) as "an acceptable compromise under some conditions,
> but should be avoided".

You're asking them to implement a more fine-grained access check in
the application, but they're comfortable doing that in the CA, and
either don't have a revocation requirement, or process CRLs.

> So I was just wondering, is anyone aware of any standards documents
> such as RFCs or some widely cited "best practices" document that I can
> refer them to?

The RFCs are out of scope here.  Access control decisions are up to
the verifier.  The certificate is valid, what part of it they choose
to base access control on is up to them.

-- 
	Viktor.



More information about the cryptography mailing list