Hi all,

seems that, while investigating the possibilities for SSL-based 
authentication introduce by Luchesar, I could relatively easy implement 
DNS checking as an intermediate step.
The approach would be:

a. Get the host names of URIs from policy XML upload
b. Get the host name of client
c. Compare host names. If not all host names from a. equal the one from 
b => perform DNS lookup to to reveal IPs. Then check IPs for equality.
d. Decide about installation of policy based on results from c.

An attacker would have to compromise DNS lookups to be successful. What 
do you think?

Greetings
Andreas


Andreas Maunz wrote on 06/29/2010 04:40 PM:
> Luchesar V. ILIEV wrote on 06/29/2010 04:25 PM:
>> And it's really the policy service that matters. OpenSSO need not (as
>> far as I can ascertain at the moment) require client certificates for
>> its connections.
>
> Ah, ok. That's nice to hear. :-) Yes, it makes sense to primarily target
> the policy service.
>
>> So, if you can get access to the client certificate from within the
>> policy service, that would be great. I'm afraid I don't have much
>> experience with programming webservices, but I'll try to educate
>> myself more on the matter as well.
>
> My approach would be to forward the appropriate SSL traffic directly the
> policy webservice.
> The webserver there could then do anything with it, also checking the
> client certificate.
> Just the basic idea, but I'll investigate the possibilities.
>
> Greetings
> Andreas
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>

-- 
http://www.maunz.de

             And on the 8th day God said: "Ok Murphy, you take over."