[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preliminary TLS/SSL success

John Kristian wrote:

> What do you plan to implement?

Essentially, I am still wondering about how to map data in the certificates
to DNs.  Since the DNs in the certificates do not have a direct mapping
into directory DNs, some kind of mapping is necessary.  The direct mapping
is difficult for the following reasons:

	- RFC2377 suggests a method to create non-conflicting Internet-
	  wide names based on the dc attribute type and seems popular
	  and likely to see more and more use in the future, especially
	  when combined with service location systems.  Unfortunately,
	  OpenSSL does not know the OID for that attribute type, and
	  though it is easy to define such an OID, then Netscape
	  Communicator does not know about it and instead of displaying
	  it in any way it just skips those RDNs.  The result may be

	- LDAP DNs are UTF-8, period.  Support for beyond-ASCII data
	  in X.509 certificates is there, but my limited testing has
	  suggested that this is a big can of worms and lots of
	  software will break if tried.  Since in some parts of the
	  world, ASCII is too limited, we may have to live with
	  UTF-8 in the directory but just ASCII in the certificates.

	- For certificates granted by public commercial CAs, a direct
	  mapping of those names into directory DNs may result

On the other hand, approaches based on searching in the directory,
limit severely the prospects of allowing granting of privileges
in the directory to identities strongly verified but that correspond
to DNs that do not reside in this particular directory.  For instance,
we are part of a large organization composed of several related, but
legally and organizationally different, entities.  We want to have
controlled access from one part of the organization to the directories
in other parts.  That is, I want to believe the certificates granted
at some other place and grant those identities access to my directory,
but those subjects are not in my directory and I don't want to make
a search against their directory just to accept the bind.  I think
this scenario may be common in extranet environments.

So I think there may be very different approaches depending on the
exact environment.  Any ideas or experiences are welcome.

Of course, then there is the different question of determining whether
an asserted authorization identity is compatible with a given
authentication identity, but I think the solution to both issues go
hand in hand.

> Would you like to know what Netscape does?
> Some relevant documentation is available, at
> http://home.netscape.com/eng/server/console/4.0/help/5_secure.htm#1063316

I'll have a look, thanks.