[Date Prev][Date Next]
Re: Preliminary TLS/SSL success
John Kristian wrote:
> What do you plan to implement?
Essentially, I am still wondering about how to map data in the certificates
to DNs. Since the DNs in the certificates do not have a direct mapping
into directory DNs, some kind of mapping is necessary. The direct mapping
is difficult for the following reasons:
- RFC2377 suggests a method to create non-conflicting Internet-
wide names based on the dc attribute type and seems popular
and likely to see more and more use in the future, especially
when combined with service location systems. Unfortunately,
OpenSSL does not know the OID for that attribute type, and
though it is easy to define such an OID, then Netscape
Communicator does not know about it and instead of displaying
it in any way it just skips those RDNs. The result may be
- LDAP DNs are UTF-8, period. Support for beyond-ASCII data
in X.509 certificates is there, but my limited testing has
suggested that this is a big can of worms and lots of
software will break if tried. Since in some parts of the
world, ASCII is too limited, we may have to live with
UTF-8 in the directory but just ASCII in the certificates.
- For certificates granted by public commercial CAs, a direct
mapping of those names into directory DNs may result
On the other hand, approaches based on searching in the directory,
limit severely the prospects of allowing granting of privileges
in the directory to identities strongly verified but that correspond
to DNs that do not reside in this particular directory. For instance,
we are part of a large organization composed of several related, but
legally and organizationally different, entities. We want to have
controlled access from one part of the organization to the directories
in other parts. That is, I want to believe the certificates granted
at some other place and grant those identities access to my directory,
but those subjects are not in my directory and I don't want to make
a search against their directory just to accept the bind. I think
this scenario may be common in extranet environments.
So I think there may be very different approaches depending on the
exact environment. Any ideas or experiences are welcome.
Of course, then there is the different question of determining whether
an asserted authorization identity is compatible with a given
authentication identity, but I think the solution to both issues go
hand in hand.
> Would you like to know what Netscape does?
> Some relevant documentation is available, at
I'll have a look, thanks.