[OTDev] A&A: precautions against pre-registering resources
Andreas Maunz andreas at maunz.deThu Jul 1 13:08:32 CEST 2010
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all, seems that, while investigating the possibilities for SSL-based authentication introduce by Luchesar, I could relatively easy implement DNS checking as an intermediate step. The approach would be: a. Get the host names of URIs from policy XML upload b. Get the host name of client c. Compare host names. If not all host names from a. equal the one from b => perform DNS lookup to to reveal IPs. Then check IPs for equality. d. Decide about installation of policy based on results from c. An attacker would have to compromise DNS lookups to be successful. What do you think? Greetings Andreas Andreas Maunz wrote on 06/29/2010 04:40 PM: > Luchesar V. ILIEV wrote on 06/29/2010 04:25 PM: >> And it's really the policy service that matters. OpenSSO need not (as >> far as I can ascertain at the moment) require client certificates for >> its connections. > > Ah, ok. That's nice to hear. :-) Yes, it makes sense to primarily target > the policy service. > >> So, if you can get access to the client certificate from within the >> policy service, that would be great. I'm afraid I don't have much >> experience with programming webservices, but I'll try to educate >> myself more on the matter as well. > > My approach would be to forward the appropriate SSL traffic directly the > policy webservice. > The webserver there could then do anything with it, also checking the > client certificate. > Just the basic idea, but I'll investigate the possibilities. > > Greetings > Andreas > _______________________________________________ > Development mailing list > Development at opentox.org > http://www.opentox.org/mailman/listinfo/development > -- http://www.maunz.de And on the 8th day God said: "Ok Murphy, you take over."
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list