[SERVER-27299] Add the ability to restrict power of Certificate Authorities Created: 06/Dec/16 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Admin, Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | platforms-re-triaged | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Assigned Teams: |
Server Security
|
||||
| Participants: | |||||
| Description |
|
Certificate Authorities(CAs) loaded into MongoDB processes are used to validate certificates presented by clients. Client certificates can be used to prove clients were granted a certificate before they connected, perform client authentication, or perform intra-cluster authentication, or perform authorization. It would be useful to be able to restrict how certificates issued by a particular CA, or CAs it has delegated signing authority to, may be used. This could be done by adding a configuration option to MongoDB which would accept a mapping from CA Serial Numbers to the list of actions that the CA may be used for. |