Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
5.5.0
-
None
Description
At present if you want mutual verification of X.509 certificates you also have to encode user information into the certificate.
This is problematic for infrastructures such as Puppet, for which devops usually leverage the builtin PKI to ensure both ends are trusted, but are unable to control the certificate generation process. Adding a user per certificate is also cumbersome for infrastructure as a service without some additional form of service discovery.
Similarly for the couchbase-operator we don't want to have to parse certificates to extract and manage user names, which could be externally deleted, or make certificate generation unnecessarily difficult for operators. Also encoding "Administrator" in a certificate gives me cold sweat 
I'd ideally like a TLS operating mode whereby the server requires a client certificate, but allows authorization via the existing basic auth http header. Separating authn and authz like this can be thought of as a form of 2FA for additional security.