[Date Prev][Date Next]
Re: SASL/EXTERNAL (TLS)
"Kurt D. Zeilenga" wrote:
> The authentication identity can be in any form.
The identity has to be unique?
> I rather the
> form be as "natural" as possible. That is, if the authentication
> identity is derived from an X.509 certificate, the identity
> should be "natural" (e.g. X.500) form.
I would not even speak of a X.500 form when using a cert DN since
most CAs issue certs without caring about directory structure at
all. E.g. look at my freemail cert DN issued by Thawte:
Just use the cert DN as unstructured but unique identifier
regardless of being meant as X.500 name in former days. Note: The
cert DN has only to be unique within the name-space of a CA. Two
different CAs can issue different certs with the same DN.