A secure user
Jim Hranicky
jfh at cise.ufl.edu
Thu Apr 20 08:21:32 PDT 2006
> Hmm, so you are looking to implement a "signing authority" kind of
> setup, where the client certificate validates the user info that
> has been passed by a trusted cupsd (or other) client.
Exactly.
> This is certainly possible and an interesting option, but you will
> still need to hack the client library or seriously hack the IPP
> backend to get the certificate and user info passed in the request.
> The amount of work will be pretty much the same - the only difference
> is whether the server treats certificates as user- or system-
> specific...
The only cert that needs to be passed is the local cupsd cert,
the signing authority cert. I think all I need to do is add
support for a URI of the type:
https://cups.x.com/printers/lp1?cert=/path/to/signauth-cert.pem
User certs shouldn't be required.
> > I don't see why this couldn't be added now as a stopgap measure
> > until certs are fully supported. Even if certs are fully supported,
> > I don't relish the idea of issuing one for all my users :->
>
> This can be automated a bit, just like with SSH, and then the
> server can authenticate the client normally the first time to
> collect the client's certificate and user association.
Possibly, though I think limiting the certs to just a signing
authority cert cuts down on the amount of code needed.
Jim
More information about the cups
mailing list