hallow icon indicating copy to clipboard operation
hallow copied to clipboard
verified publisher icon hallowauth

Optionally set source-address critical extension?

Open alex opened this issue 5 years ago • 3 comments

Certs can set a critical extension source-address to an IP address, which is then the only IP allowed to use this certificate.

Since we're issuing short lived certs, roaming is probably not a concern. Would it make sense to automatically set this to the requesting client's IP?

alex avatar Feb 17 '20 14:02 alex

Ran into another use case this would be a problem for: If you're SSHing into something on your local network, then your source address will be a local IP, but hallow would still see your global IP.

alex avatar Mar 07 '20 01:03 alex

Having it be optional could be interesting - but passing it would either mean breaking API (and doing something like #66) or passing a header

paultag avatar Mar 07 '20 17:03 paultag

I was thinking it'd be a configuration option for hallow itself. Maybe HALLOW_SOURCE, default=none. Other values: auto (set it to the requesting IP) or a comma separated CIDR list

On Sat, Mar 7, 2020 at 12:08 PM Paul Tagliamonte [email protected] wrote:

Having it be optional could be interesting - but passing it would either mean breaking API (and doing something like #66 https://github.com/hallowauth/hallow/issues/66) or passing a header

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hallowauth/hallow/issues/93?email_source=notifications&email_token=AAAAGBFUXYPSARFAJNGWUPLRGJ5PVA5CNFSM4KWSVVNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOD6PJY#issuecomment-596109223, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBA7TTXL7LU2XPHETETRGJ5PVANCNFSM4KWSVVNA .

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Mar 07 '20 17:03 alex