[Box Backup] Question about certificates
Nuno Fernandes
boxbackup@fluffy.co.uk
Thu, 2 Aug 2007 17:50:47 +0100
Hi,
On Wednesday 01 August 2007 19:25:00 Chris Wilson wrote:
> Hi Nuno,
>
> On Wed, 1 Aug 2007, Nuno Fernandes wrote:
> >>> Aparently bbstored-certs /etc/box/bbstored/certs init creates 2 root
> >>> CAs (one for clients and the other for servers). Why does it create 2
> >>> CAs?
> >>
> >> One is for validating servers, the other for validating clients. I
> >> think servers are just accepted as valid if they present a valid
> >> certificate signed by the server CA. For clients, the CN must match - I
> >> think it must BACKUP-<account number> (without zeros at the beginning),
> >> the certificate being signed by the client CA.
> >
> > Can't i use the same CA to validate servers and clients?
>
> You can, but it's not secure. It allows one of your clients to pretend to
> be a valid server for any other client.
It's not secure? Why not? A client can only pretend to be a server with the
name BACKUP-X where X is the client number. If another client would connect
to server1.domain.com and a client would only have a certificate with the
common name of BACKUP-X and not server1.domain.com.
Rgds
Nuno Fernandes
> If you really want to do that, just set the ServerCA (on the client) and
> ClientCA (on the server) to point to the same certificate.
>
> Cheers, Chris.