Hi There:

The limitations of mod_ssl for path validation are further than what you ha=
ve=20
described, in that it also cannot perform policy mapping up the entire=20
certificate chain, and also has no concept of how to deal with AIA or SIA=20
fields. I'm not sure where the developers are in terms of full RFC 3280 Pat=
h=20
Validation compliance, but as we also have a need for more full path=20
validation, especially a model that will work in a Cross-Certification type=
=20
environment.

It is our intent to be starting to work on this this fall, unless we hear f=
rom=20
the community that there is already work underway to add in full 3280=20
validation to mod_ssl.

(I'll probably take this over to modssl-devel, but since you asked, I thoug=
ht=20
that I would bring it up here.)

Cheers.

On Thursday 31 August 2006 08:53, rlabbe@satx.rr.com wrote:
> All,
>
> I am working in an environment utilizing a PKI consisting of several
> Root and Intermediate Certificate Authorities. In order to reduce the
> overhead when requiring client authentication using digital
> certificates, I am using the following two directives:
>
> SSLCACertificatePath =96 Used for Root and Intermediate CAs
> SSLCARevocationPath =96 Used to Process Certificate Revocation Lists
>
> I=92ve yet to encounter a version of Apache and Mod_SSL performing proper
> path validation. If a user presents a certificate that is revoked, but
> not included in the directory containing all the PEM/Base64 encoded CRL
> files and associated symbolic links, Apache allows access.
>
> If a user presents a certificate issued from an Intermediate
> Certificate Authority that is not included in the directory containing
> all the Root and Intermediate CA certificates in PEM/Base64 encoded
> format and associated symbolic links, he/she is allowed access.
>
> I would prefer the system to validate the entire chain and not allow
> access in the event a local CRL file or Intermediate CA certificate is
> not available. By default, IIS performs this path validation correctly.
> If IIS does not have a current CRL file issued by each and every CA in
> the certificate path, the client is denied access. If IIS does not have
> a certificate from each and every CA in the certificate path, the
> client is denied access.
>
> I am trying to automate the process of updating the CA certificate
> directory and associated CRL directories by scheduling a job to run on
> a nightly basis. If Apache has a local CRL and CA certificate from each
> and every CA in the path used to issue the client certificates, then
> all checks are performed and the client is properly validated.
>
> I would prefer the system default to =93Closed=94 instead of =93Open=94 i=

n the
> event an Intermediate CA certificate is unavailable or no CRL file is
> available. Again, the system must have at least one CA certificate
> trusted and available locally, but no CRL files.
>
> Note: I have issued a client certificate from a client certificate
> issued by on of the Intermediate CAs and Apache does deny access
> because the key usage of the client certificate does not allow it to be
> used as a Root CA and issue additional client certificates. I used
> OpenSSL in order to issue client certificates from a client
> certificate. This type of path validation seems to work on all the
> versions of Apache and Mod_SSL I=92ve tested.
>
> Thanks
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


=2D-=20
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org