Storage in Caching service by caller #4423
Description
This issue is based on #4408.
The current implementation of calling Caching service to work with PAT is based on HTTP communication between GW and Caching service. The caller provide as part of the request serviceId and DN of service's certificate.
There are couple of weakness of this approach:
-
Caching service doesn't verify DN provided in header with a real certificate
Any caller with a client certificate could write in the same storage (using a different certificate and the same DN). -
DN depends on the certificate in usage (see header
X-Certificate-DistinguishedNameand x509 authentication scheme)
If the certificate is updated, it should contain the same DN, otherwise all records are forgotten (using a different DN would lead to search for different records)
Using DN seems to be a fragile solution. The better solution should validating of certificate and storing just under the serviceId.