27 Jun
2023
27 Jun
'23
10:51 a.m.
The point of a certificate-based authentication system is not to have to implement authentication rules for each and every individual user. An LDAP server should only trust certificates issued by a single CA; that CA should only be issuing certs to valid users. Ideally, the LDAP server should be the CA, which is what slapo-autoca is designed for.
Any peer in a TLS session that does validation seems to have three things to validate: 1. the x.509 subject name matching the name as known or claimed by the peer 2. the signing authority 3. the validity date
Are we saying that the LDAP server should only care about #2?