Security Basics mailing list archives
Re: IIS 5 and client certificates
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 05 Nov 2002 00:22:24 -0600
On Fri, 2002-11-01 at 16:29, Chris Eidem wrote:
[...] What I've tested: - Anyone with our cert can reach the site with certs ignored or accepted, no surprise. - Anyone with our cert can reach the site with client cert mapping not enabled. Slightly surprising, as I would think that it would default to no one being allowed access. - Anyone with our cert can reach the site with client cert mapping enabled and no 1-to-1 rules. Again surprising. - I added a second cert, and mapped it to a user that was not allowed access to the default.html page. That user was not allowed access, but all other cert holders were allowed access. - I added a Many-to-1 rule denying access to anyone with the following certificate criterium: Issuer CN matches '<root CA text here>' With this enabled, and the local Root CA installed, it matches what I thought that it would do with just the client cert installed. Since all the major CAs have their certificates installed into Windows 2000, IIS recognizes them and I fear that anyone with a valid cert may be able to access a site. [...]
Chris, have you tried *removing* all other root certs from the root CA store of the web server, leaving only your own root CA cert in the certificate store?
From what I understand, any certificate signed by a trusted root CA (so
by default, Verisign etc) are accepted, and the CN name used as a username for authentication (or via the mapping, remapped to a different ID). It seems to me that if you trust only your certificate, you would need to to reduce the trust in the root CA store to just your root cert. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: IIS 5 and client certificates Frank Knobbe (Nov 05)