[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Peter Williams
pwilliams at rapattoni.com
Sun Jan 4 00:45:02 UTC 2009
I have not studied MSFT crypto APIs in ~10 years. But, the original (very clever) Microsoft notion to ensure that "apps" controlled PKI trust was:
Put all the roots in a storage pot, per machine/user SID (with access control by the NT reference monitor), and the application (aka hosted website) specifies a CTL - whose beyond-SID nature defines what is "valid" on an app basis. The app self-signs the CTL.
There were the usual NT monitor controls enforced in keys and cert stores that limited who could make/amend the CTL. But the point was ... leverage it as an "app" configuration tool, that would drive the platform SSl call back on trust.
But, this is going back in the NT 4 SP4 days, which had the network components of NT go through a CC evaluation by Logica, for the first time. Since then, .NET has added its own model of privileged trust delegation.
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Watkins
> Sent: Saturday, January 03, 2009 4:34 PM
> To: Andrew Arnott
> Cc: general at openid.net
> Subject: Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
> implementations)
>
>
> Can't you "just" add the CAs to trusted roots for the Windows account
> that the asp.net app runs as? I supposed it'd be tougher for folks
> using integrated auth & impersonation, but I also expect most asp.net
> webapps doing OpenID auth aren't using impersonation. Similarly, I'd
> expect to be able to remove CA certs from the asp.net webapp user's
> profile in order to shorten the CA whitelist.
>
> I don't know how tough it is to edit the root certs for the profiles of
> app pool-type accounts, and hope you'll forgive my not firing up
> Studio on a Saturday night to see if there's an obvious API. :-)
>
> On *nix it's usually pretty straightforward -- find the keystore
> holding root certs and manipulate it via OpenSSL, Java keytool,
> or whatever app is appropriate for the environment. Is it not the
> same in Windows?
>
> -Peter
>
> On Sat, Jan 03, 2009 at 03:24:37PM -0800, Andrew Arnott wrote:
> > Definitely some interesting thoughts in there.
> > I'll add one more: while it makes a sensible default for Microsoft to
> cause
> > .NET connections to HTTPS servers without a signed cert by a known
> good CA
> > to fail, it doesn't seem like it should require the whole machine to
> trust
> > the individual web site if that web site wishes to go ahead and make
> a
> > connection. Crying out loud: if a partial trust web site can
> initiate an
> > HTTP connection to a random server (which it can, with GoDaddy's
> small
> > deviation to Medium Trust), why couldn't it also open an HTTPS
> connection in
> > order to encrypt the traffic, and decide to be its own judge on the
> validity
> > of that certificate?
> >
> > I'm going to poke around Microsoft and see if I can't get this policy
> > changed so that .NET clients can approve of these certs signed by
> > lesser-known CAs.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list