Christopher Paul wrote:
The point of a certificate-based authentication system is not to have to implement authentication rules for each and every individual user. An LDAP server should only trust certificates issued by a single CA; that CA should only be issuing certs to valid users. Ideally, the LDAP server should be the CA, which is what slapo-autoca is designed for.
Any peer in a TLS session that does validation seems to have three things to validate:
- the x.509 subject name matching the name as known or claimed by the peer
The above applies to clients validating servers. TLS is client-server, not peer-to-peer.
Clients with certs assert their name to servers, and if the server trusts the cert issuer then it accepts the name that the client asserted.
- the signing authority
- the validity date
Are we saying that the LDAP server should only care about #2?
The date is important too of course. And revocation checks too, but they aren't relevant to this conversation.