Support multiple CA's public keys for service-provider authentication
Summary
There should be a way to provide one or more CA's public keys that can be used to verify the authenticity of a TLS-encrypted services. In our case, we have many such service types that should be TLS encrypted if accessed remotely (i.e., not in the same network), such as Keycloak/IdP, TES (or directly Kubernetes), TRS, etc. For the general case, it may even be possible that some of these are there in multiple instances, e.g., multiple TRS-servers or multiple TES-servers, and there may not be a guarantee that all these are governed by the same organization.
Details
In the Java world there are truststores for this task. In Python there seems no such standard. There is a truststore library that allows accessing actual truststores (like those used in Java).
Risks
- Critical: Only trusted services must be accessed. An attempt to access a non-trusted service -- i.e., one whose TLS-public key is not in the "truststore" must be rejected and logged.
- Normal:
- Minor:
Verification & Validations
- Access service without certificate in truststore -> fail
- Access service with certificate in truststore -> succeed
- Access 2 services with different certificates in truststore -> succeed (multiple certificates should be storable)
- For each service configure whether TLS verification is required.
Important Stakeholders
@alexanderkanitz , I guess. So this is a cloud use-case.
Implementation Suggestions (optional)
Maybe use the truststore library. Maybe not. We should check its reliability (number of non-trivial contributors; number of open issues and time till issues are answered; etc.).