<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>CTLs
are not the whole story, but are a good place to start to see where the
security constraints in the hosted environment are imposed by the hoster’s
core setup. It’s also interesting to glimpse from the following how .NET
has evolved the trust management framework since the IIS4 days I once knew
well, and see how the modern ACS is going further (rant on. in ways that are no
longer being enforced solely within the crypto boundary, relying more on trusted
systems theory like AuthMan RBAC. rant off). <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I’m
starting to envy Dick. This modern trust stuff looks like so much fun! Microsoft
core platform engineering on crypto has always been classy, though can tend to
become somewhat obscure and overly-professionalized – particularly as native
code is mapped into the VM, as we see in the first resource:-<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://blogs.msdn.com/gproano/archive/2005/03/22/400645.aspx">http://blogs.msdn.com/gproano/archive/2005/03/22/400645.aspx</a>
(fiddling with CTLs programmatically in early .NET)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>If
GoDaddy has console access, <a
href="http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCFTransportSecurity.aspx">http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCFTransportSecurity.aspx</a><span
style='color:#1F497D'>. gives you a start on the core CTL ideas in an IIS
context, but is obviously not dynamic.</span><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a href="http://www.leastprivilege.com/SslStreamSample.aspx">http://www.leastprivilege.com/SslStreamSample.aspx</a>
(lowlevel access to the SSL client library, presumably applying http.sys, with
validation callback interface)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>WCF
model on app-based certificate trust constructs http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCF.aspx
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>custom
validation <a
href="http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCFMessageSecurity.aspx">http://www.leastprivilege.com/CertificateBasedAuthenticationAndWCFMessageSecurity.aspx</a>.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Looks
like the peer trust model may be good for an openid ID RP doing what I
suggested (to enhance https openid discovery . It can then collect all the
asserted certificates from an OP, and then custom validation logic binds a
particular cert to the inbound openid, for use next time with a vanity https URL
that ultimately resolves during discovery to that OP-provisioned openid (via
redirect, via delegation, or whatever)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>http://www.leastprivilege.com/FederatingWithLiveIDUsingTheAccessControlService.aspx
(modern clue on how folks MAY? address the issue of trust in a .NET host (of
which IIS7 is only one option, recall). See notion of ACS. Only relevant to the
distant future tho. Will probably be highly relevant to OP/RP white-listing
too, tho.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> Saturday, January 03, 2009 7:06 PM<br>
<b>To:</b> Peter Watkins<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>On Sat, Jan 3, 2009 at 4:34 PM, Peter Watkins <<a
href="mailto:peterw@tux.org">peterw@tux.org</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal><br>
Can't you "just" add the CAs to trusted roots for the Windows account<br>
that the <a href="http://asp.net" target="_blank">asp.net</a> app
runs as? <o:p></o:p></p>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<p class=MsoNormal>Not while that <a href="http://ASP.NET">ASP.NET</a> app is
running with medium trust. <o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Sat, Jan 3, 2009 at 4:34 PM, Peter Watkins <<a
href="mailto:peterw@tux.org">peterw@tux.org</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal><br>
Can't you "just" add the CAs to trusted roots for the Windows account<br>
that the <a href="http://asp.net" target="_blank">asp.net</a> app runs as? I
supposed it'd be tougher for folks<br>
using integrated auth & impersonation, but I also expect most <a
href="http://asp.net" target="_blank">asp.net</a><br>
webapps doing OpenID auth aren't using impersonation. Similarly, I'd<br>
expect to be able to remove CA certs from the <a href="http://asp.net"
target="_blank">asp.net</a> webapp user's<br>
profile in order to shorten the CA whitelist.<br>
<br>
I don't know how tough it is to edit the root certs for the profiles of<br>
app pool-type accounts, and hope you'll forgive my not firing up<br>
Studio on a Saturday night to see if there's an obvious API. :-)<br>
<br>
On *nix it's usually pretty straightforward -- find the keystore<br>
holding root certs and manipulate it via OpenSSL, Java keytool,<br>
or whatever app is appropriate for the environment. Is it not the<br>
same in Windows?<br>
<span style='color:#888888'><br>
-Peter</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
On Sat, Jan 03, 2009 at 03:24:37PM -0800, Andrew Arnott wrote:<br>
> Definitely some interesting thoughts in there.<br>
> I'll add one more: while it makes a sensible default for Microsoft to
cause<br>
> .NET connections to HTTPS servers without a signed cert by a known good CA<br>
> to fail, it doesn't seem like it should require the whole machine to trust<br>
> the individual web site if that web site wishes to go ahead and make a<br>
> connection. Crying out loud: if a partial trust web site can
initiate an<br>
> HTTP connection to a random server (which it can, with GoDaddy's small<br>
> deviation to Medium Trust), why couldn't it also open an HTTPS connection
in<br>
> order to encrypt the traffic, and decide to be its own judge on the
validity<br>
> of that certificate?<br>
><br>
> I'm going to poke around Microsoft and see if I can't get this policy<br>
> changed so that .NET clients can approve of these certs signed by<br>
> lesser-known CAs.<o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>