Hi John, just a few additional remarks inline... On Thu, Jul 31, 2014 at 12:21:59PM -0400, John MacAuley wrote:
Yes, I was indeed mixing authentication and basic authorization. I have solved the issue by adding certification DN authorization in Apache after the TLS session is established. It is just too bad TLS gets established in the first place with these wide ranging CAs. Seems a bit senseless in the grand scheme of security. I'm not sure I fully understand what you mean, but note in any case that you can easily provide a CA file or path with a (small) set of accepted CAs for client auth in Apache, see http://httpd.apache.org/docs/current/mod/mod_ssl.html under SSLCACertificateFile, SSLCACertificatePath and SSLCADNRequestFile, SSLCADNRequestPath
Java based implementations can override the default SSL Engine to give customized handling of the certificates, which solves my problem during the negotiation phase. Unfortunately, not everyone can do this. First of all, the standard mod_ssl has a number of possibilities for customization and you already get quite some data back from the Apache server, such as issuer CA for the client-cert etc., so you can also do quite some checks after the SSL handshake, for example in PHP. Also see below, about e.g. mod_gridsite.
"Self-signed certificates will not scale." - It really depends on the deployment requirements of the application. We are discussing control plane peering of service agents, of which an organization will typically have a handful to tens for the foreseeable future. I would not use self-signed for use cases where I am dealing with 100 - 1,000s of clients. In that case it definitely does not scale. True, but even for smaller cases, it can be difficult to handle the revocation or expiry of a certificate, as it has to be quickly distributed over all services and clients.
However, having to provision 1,000s of access control lists to restrict access does not scale as well. If this was the case an entirely different solution would be required that does not depend on SSL/TLS for anything other than encryption. in principle in the Grid world, people have developed an Apache module (mod_gridsite.so, shipped as part of gridsite which is available in both RedHat via EPEL and Debian) which can handle access control based on virtual organization (VO) membership, roles etc. especially to address your point about the ACLs. The grid also started out using long lists of user DNs, until we moved to the concept of a VO with roles and groups and access control based on that.
On Thu, Jul 31, 2014 at 05:50:08PM +0000, Sill, Alan wrote:
We had planned to put together a workshop on identity management for software defined networking for SC'14, but I don't think we got that submitted in time. This sounds like a topic that would be good to discuss at an OGF meeting or other gathering of the NSI group. That would be very interesting.
Best wishes, Mischa -- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msalle@nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..