Ulrich Windl wrote: >>>> Michael StrÃder<michael@stroeder.com> schrieb am 01.11.2013 um 19:26 in >> Unfortunately it's not that easy: >> >> Consider a (somewhat broken) "official" CA, which you definitely cannot >> avoid >> or fix and which issues client certs with non-unique subject-DNs. In this >> case >> one has to choose a certain client cert e.g. by issuer-DN/serial for the >> mapping. > > CAs either accept the subject name in the certification request, or they deny > it, but they never change it. Not true and also not relevant here. >> Also consider that you want to off-load revocation checking of client certs > >> to >> a external process for better performance. In this case you also need to >> distinguish client certs by some more information than just a subject-DN. > > "you" is the process that handles CRLs. That process should be able to do it > properly. What exactly do you want to say? >> Furthermore it's really not unusal to have several CAs which issue client >> certs for different purposes. So IMHO it should be possible to map client >> certs by a certain CA only to a certain subset of authz-DNs. > > That's also wrong: You don't have to observe the issuing CA, but the > certificate's attributes, like "X509v3 Key Usage". Well, I'm not new to PKI but I don't get what you say. I don't want to "observe the CA". I just want to make sure that client certs issued by CA1 gets mapped to certain authz-DNs (server objects in my case) and others issued by CA2 gets mapped to other authz-DNs. Did you really understand what I wrote? Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature