Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8DC7ED80D for ; Tue, 23 Oct 2012 09:02:47 +0000 (UTC) Received: (qmail 39394 invoked by uid 500); 23 Oct 2012 09:02:47 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 39153 invoked by uid 500); 23 Oct 2012 09:02:45 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 39125 invoked by uid 99); 23 Oct 2012 09:02:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Oct 2012 09:02:44 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ayyagarikiran@gmail.com designates 209.85.212.50 as permitted sender) Received: from [209.85.212.50] (HELO mail-vb0-f50.google.com) (209.85.212.50) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Oct 2012 09:02:39 +0000 Received: by mail-vb0-f50.google.com with SMTP id fa15so4856908vbb.37 for ; Tue, 23 Oct 2012 02:02:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=XJsa//8hfUDU7rxx7/2BPJcS46ZsaWEhUJEX0m00G6U=; b=XSBHsKJCUSNo1pdQZe/Fuos21S5c7PHeTx/CSsuUrEtJYEvgKDUV0oUiXlWC8V+TyJ GmxZELqEOIonswmVUr1z2jbzEeGA73zkhBt70RKVUurw4wvz5etYRr7s0KtoIRHCSLMy idMCm1R0PdpVbBtJSsKd37BCvFlyUEq3mhZujydTp7vuR5Rni2sRCL45c7hP/l+DcEoT Tm8gb1Yy2yEtvptOwxMOZ8CHuo2YDEeE7gYrPOY8Hl4MNZdsY7qgOxCKZVUA2zOmrot1 VJxCL8zzRLfUZFAsqgK5+yavGxAGj0GG1HRXpMnz7H8iX1TIR8lriHgJzwAl2ld5fYQV qz/A== MIME-Version: 1.0 Received: by 10.52.23.199 with SMTP id o7mr15713417vdf.129.1350982938006; Tue, 23 Oct 2012 02:02:18 -0700 (PDT) Sender: ayyagarikiran@gmail.com Received: by 10.58.117.97 with HTTP; Tue, 23 Oct 2012 02:02:17 -0700 (PDT) In-Reply-To: <50864C7F.80609@gmail.com> References: <50864C7F.80609@gmail.com> Date: Tue, 23 Oct 2012 14:32:17 +0530 X-Google-Sender-Auth: t4eiYavpAargyXiiJVPCu5DMmDA Message-ID: Subject: Re: [ApacheDS] adding a global trust manager From: Kiran Ayyagari To: Apache Directory Developers List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Oct 23, 2012 at 1:21 PM, Emmanuel L=E9charny = wrote: > Le 10/23/12 8:09 AM, Kiran Ayyagari a =E9crit : > >> Hi All, >> >> I am currently implementing an X509 trust manager that is used for >> checking client certificates while using TLS for replication. >> >> This trust manager can work in any one of the two modes >> 1. trust all (default mode) >> 2. trust only the specified certificates >> >> In the 2 mode trust manager loads a set of certificates stored in >> DiT under ou=3Dcertificates,ou=3Dsystem (a new branch) [1] > > > Will it be a separate partition ? > no, this is just a branch under ou=3Dsystem partition > >> and checks against this list. The certificate that is not present >> in this list but is signed by a known CA will be trusted >> automatically. >> >> The initial idea is to use this trust manager only for replication >> connections, but I would like to know your thoughts about using it >> in StartTLS and LDAPS connections by default? > > Well, usually, we fetch the certificate from the user entry, so we only h= ave > one place to store every piece of information relative to a user. Typical= ly, > there is no specific reason to not store the public key certificate of a > user somewhere else than in the user's entry. > yeah, a common area where all trusted certificates are stored is much easie= r to handle (assuming the case where not all user entries contain certificates unless in a PKI like env.) > Now, we can certainly imagine a situation where you want to gather may > certificates in a simple place. > > Keep in mind we can also add an index on certificate (although we will ha= ve > to write a specific matching rule to the associated comparator in order t= o > avoid doing a plain byte[] comparison of certificates. I'm sorry, but her= e I > have not enough knowledge to foresee all the consequences of such a > modification, I hav to do my homework :) > > Anyway, this is certainly an area we have to investigate ! > currently searching is not the main concern here, but I agree with your poi= nt >> >> [1] am thinking of replacing the unused >> prefNodeName=3DsysPrefRoot,ou=3Dsystem branch with >> ou=3Dcertificates,ou=3Dsystem, please raise any >> objections you may have w.r.t this change. > > Well, I'd rather keep this branch, and create a new one atm. We can delet= e > the prefNodeName later if needed. > > Btw, will it impct the configuration ? > no, this is branch is not in use anywhere except in some tests while comparing the DNs of search results > > -- > Regards, > Cordialement, > Emmanuel L=E9charny > www.iktek.com > --=20 Kiran Ayyagari http://keydap.com