On 6/29/2023 11:29 PM, Windl, Ulrich wrote:
> I think there's something missing: When *creating* the certificate "It proves that the bearer owns the DN" (done by RA/CA), but when *using* the certificate (by a client) the server should still check whether the certificate matches the client. Otherwise any stolen certificate could be used to gain access from everywhere. MHO.
When you say "matches the client", what do you mean? That the client's
IP address maps to a name on the certificate? Remember that in DNS the
mapping from IP address to name is under the control of the person who
owns the IP address, not the person who owns the name. Remember also
that the client may be behind a NAT that hides their IP address.Â
Finally, remember that the client may legitimately change its IP address
and DNS name (if any) from time to time as it is moved from one location
to another (think phone, or laptop, or desktop moving from one office to
another) or networks are reconfigured around it.
This is asymmetric from the more common server authentication. For
server authentication, the server has a stable name, and that name was
supplied by the human and so can be trusted (more or less) and checked
against the certificate. In fact, that human-supplied name serves
exactly the same purpose as an "authorized DN" list: it says which
certificates are acceptable.
Net... you're absolutely right, if somebody steals your certificate -
more precisely, your private key - they can use it to gain access. It
is exactly as for a password: a username and password authenticates the
user, but if somebody steals your password, they can masquerade as you.Â
Depending on your particular scenario, it might be appropriate to have
*additional* checks - acceptable networks, et cetera - or require
multiple factors (e.g. certificate plus password). Those additional
checks are not part of the certificate-based authentication process.
Somebody stealing your private key may well be Game Over. Don't let
people steal it.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris