> While this would technically work, it would be really bad news. This would allow anyone with any user cert issued by a CA in the system wide cert store (by any CA in the world) to be trusted and pass authorization checks by p11_child. (Albeit, some directory attributes would have to line up, depending on your match rules)
Well, that's just partially true since as you said:
- Without a match rule (that has to be configured) there's no access anyways
However as I was saying, maybe the other way around can be safer?
I mean, SSSD will still use /etc/sssd/pki/sssd_auth_ca_db.pem for the trusted certs, but we will populate it adding also the ones trusted by the system.
Maybe providing a way to filter them out.
I'm talking only of upgrades from NSS installs though, for new installations people will have to manually add their trusted CAs to /etc/sssd/pki/sssd_auth_ca_db.pem.
The point here is, I suppose, that if the system trusts a CA, then we can't just not trust it for some specific operation, this can be still filtered out (if needed) by using proper sssd config parameters.
> While this would technically work, it would be really bad news. This would allow anyone with any user cert issued by a CA in the system wide cert store (by any CA in the world) to be trusted and pass authorization checks by p11_child. (Albeit, some directory attributes would have to line up, depending on your match rules)
Well, that's just partially true since as you said:
- Without a match rule (that has to be configured) there's no access anyways
However as I was saying, maybe the other way around can be safer? pki/sssd_ auth_ca_ db.pem for the trusted certs, but we will populate it adding also the ones trusted by the system.
I mean, SSSD will still use /etc/sssd/
Maybe providing a way to filter them out.
I'm talking only of upgrades from NSS installs though, for new installations people will have to manually add their trusted CAs to /etc/sssd/ pki/sssd_ auth_ca_ db.pem.
The point here is, I suppose, that if the system trusts a CA, then we can't just not trust it for some specific operation, this can be still filtered out (if needed) by using proper sssd config parameters.