Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DA9D0D739 for ; Tue, 23 Oct 2012 08:14:34 +0000 (UTC) Received: (qmail 27733 invoked by uid 500); 23 Oct 2012 08:14:34 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 27569 invoked by uid 500); 23 Oct 2012 08:14:33 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 27547 invoked by uid 99); 23 Oct 2012 08:14:33 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Oct 2012 08:14:33 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of pajbam@gmail.com designates 74.125.82.44 as permitted sender) Received: from [74.125.82.44] (HELO mail-wg0-f44.google.com) (74.125.82.44) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Oct 2012 08:14:25 +0000 Received: by mail-wg0-f44.google.com with SMTP id dr13so2914290wgb.1 for ; Tue, 23 Oct 2012 01:14:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:content-type:message-id:mime-version:subject:date :references:to:in-reply-to:x-mailer; bh=TbbJlAZ7H3iXEXOtlTRoOpIxFcwrtNppOmiU74GBKIc=; b=Slro/9gRaPjXcnENArJo+uvIH7U9XepIwtBkU3Rk5um4pAhW3HNGnAsMj9nhKnlFB9 eXVD+CX6GQADshRvl37PrrdanXxAwTzHjfxDpyzNPSTRSQ2H0x+mMoeKG7zdft1hzp5w XMDsO1L4Y6NXQHymtOVp+nXa3eMD4C78Bh6wDL3Cd2qOlv2DlfOdFWtqIZI0XB8CWTRB HEl/2Cl54kuK49x0EEGDLt3BEbfFPVGUt7wTfr9iGAkaD5LuuBohZtauXUvOhqfbnSO5 +YRQdU1lW/VgURXeUU8B+obZjfEhAb70URQfx5/vGUlfMqwE9OBATtmZgrZeI/Ev9wIk ecQQ== Received: by 10.216.131.218 with SMTP id m68mr6975302wei.195.1350980044750; Tue, 23 Oct 2012 01:14:04 -0700 (PDT) Received: from [10.0.1.8] (def92-4-82-225-58-213.fbx.proxad.net. [82.225.58.213]) by mx.google.com with ESMTPS id dq6sm21125947wib.5.2012.10.23.01.14.02 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Oct 2012 01:14:03 -0700 (PDT) Sender: Pierre-Arnaud Marcelot From: Pierre-Arnaud Marcelot Content-Type: multipart/alternative; boundary="Apple-Mail=_B727DB44-2CFC-4DC4-BE59-D885668D5243" Message-Id: Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: [ApacheDS] adding a global trust manager Date: Tue, 23 Oct 2012 10:14:01 +0200 References: To: "Apache Directory Developers List" In-Reply-To: X-Mailer: Apple Mail (2.1499) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_B727DB44-2CFC-4DC4-BE59-D885668D5243 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Hi Kiran, On 23 oct. 2012, at 08:09, Kiran Ayyagari wrote: > Hi All, >=20 > I am currently implementing an X509 trust manager that is used for > checking client certificates while using TLS for replication. >=20 > This trust manager can work in any one of the two modes > 1. trust all (default mode) > 2. trust only the specified certificates Sounds cool. :) > In the 2 mode trust manager loads a set of certificates stored in > DiT under ou=3Dcertificates,ou=3Dsystem (a new branch) [1] Sorry to hijack a little the original topic here, but I think its = related. I really think we should get rid of the system partition, it has no use = and the only interesting thing it still holds is the default/admin user. Everything that is configurable (including the default/admin user) has = its place in the configuration partition. That includes the certificates you're talking about. ATM, the default password is not included in the configuration and it = makes it uncomfortable having to first launch the server to be able to = edit this value. It would be the same thing for those certificates. I think the configuration partition should really be the place where we = store everything that can be configured. Once that's done, the system partition has no reason to exist anymore WDYT? > and checks against this list. The certificate that is not present > in this list but is signed by a known CA will be trusted > automatically. >=20 > The initial idea is to use this trust manager only for replication > connections, but I would like to know your thoughts about using it > in StartTLS and LDAPS connections by default? Sounds like a good idea to me. There's a related issue on the API as well (with some kind of a patch = proposal). https://issues.apache.org/jira/browse/DIRAPI-72 Regards, Pierre-Arnaud > [1] am thinking of replacing the unused > prefNodeName=3DsysPrefRoot,ou=3Dsystem branch with > ou=3Dcertificates,ou=3Dsystem, please raise any > objections you may have w.r.t this change. >=20 >=20 > --=20 > Kiran Ayyagari > http://keydap.com --Apple-Mail=_B727DB44-2CFC-4DC4-BE59-D885668D5243 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1 Hi = Kiran,

On 23 oct. 2012, at 08:09, Kiran Ayyagari = <kayyagari@apache.org> = wrote:

Hi All,

   I am currently = implementing an X509 trust manager that is used for
checking client = certificates while using TLS for replication.

=    This trust manager can work in any one of the two = modes
=            1. = trust all (default mode)
=            2. = trust only the specified = certificates

Sounds cool. = :)

   In the 2 mode = trust manager loads a set of certificates stored in
DiT under = ou=3Dcertificates,ou=3Dsystem (a new branch) = [1]

Sorry to hijack a little the = original topic here, but I think its related.
I really think = we should get rid of the system partition, it has no use and the only = interesting thing it still holds is the default/admin = user.

Everything that is configurable = (including the default/admin user) has its place in the configuration = partition.
That includes the certificates you're talking = about.

ATM, the default password is not = included in the configuration and it makes it uncomfortable having to = first launch the server to be able to edit this value.
It = would be the same thing for those = certificates.

I think the configuration = partition should really be the place where we store everything that can = be configured.
Once that's done, the system partition has no = reason to exist = anymore

WDYT?

=    and checks against this list. The certificate that is = not present
in this list but is signed by a known CA will be = trusted
automatically.

  The initial idea is to use = this trust manager only for replication
connections, but I would like = to know your thoughts about using it
   in StartTLS = and LDAPS connections by = default?

Sounds like a good idea to = me.

There's a related issue on the API as well = (with some kind of a patch proposal).

Regards,
=
Pierre-Arnaud

[1] am thinking of = replacing the unused
prefNodeName=3DsysPrefRoot,ou=3Dsystem branch = with
ou=3Dcertificates,ou=3Dsystem, please raise any
=     objections you may have w.r.t this = change.


--
Kiran Ayyagari
http://keydap.com
= --Apple-Mail=_B727DB44-2CFC-4DC4-BE59-D885668D5243--