[OWASP-Bangalore] [null] X509 Certificate Authentication - For Secure Server-Server Communication

Akash akashmahajan at gmail.com
Sat Jan 5 03:19:53 UTC 2019


You can always use easy-rsa if you are not interested in going down the
route of managed PKI.

https://github.com/OpenVPN/easy-rsa
https://wiki.archlinux.org/index.php/Easy-RSA

I have used easy-rsa to do PKI for internal LANs in the past and works
fairly well when you control the servers and the hosts.

Hey Abhay are you talking about this from cloudflare?

https://github.com/cloudflare/cfssl

Never used it before but would love to hear your thoughts on its usage.


On Fri, 4 Jan 2019 at 18:53, Abhay Rana <capt.n3m0 at gmail.com> wrote:

> > On Fri, 4 Jan 2019, 16:05 cyber research <001.appsec.007 at gmail.com
> wrote:
> >> It sounds clear and we are planning to implement "X509" certificate
> authentication (handles only authentication) with JWT tokens (handles
> authorization). I believe this implementation is very secure.
>
> There are lots of known attacks on JWT that rely on very common
> misconfigurations. It is possible to deploy JWT securely, but JWT by
> virtue is a very abstract protocol that allows clients a lot of
> control and misconfigurations can cause a lot of damage.
>
> There is a IETF Draft for JWT Best Practices[0] that you should read
> if you're planning to implement it.
>
> For X509 Auth, I'd highly recommend letting someone else take care of
> the PKI for you. AWS for eg supports a Private Managed CA[1], and
> CloudFlare supports TLS Client Cert Authentication[2].
>
> There is also the additional trouble of managing cert revocations and
> rotations that you'll need to figure out (Using a Managed CA can help
> with this).
>
> [0]: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-04
> [1]:
> https://aws.amazon.com/certificate-manager/private-certificate-authority/
> [2]: https://blog.cloudflare.com/introducing-tls-client-auth/
>
> --
>
> ______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+unsubscribe at googlegroups.com.
> Visit this group at https://groups.google.com/group/null-co-in.
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Warm regards,
Akash Mahajan

*Co-Founder Appsecco* | +91 99 805 271 82
akashm.com | *@makash* | linkd.in/webappsecguy
*OWASP Bangalore Chapter Lead | null Community Manager*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20190105/98f3e129/attachment.html>


More information about the OWASP-Bangalore mailing list