[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with ssl client certs

Ulrich Windl wrote:
>>>> Michael StrÃder<michael@stroeder.com> schrieb am 01.11.2013 um 19:26 in
>> Unfortunately it's not that easy:
>> Consider a (somewhat broken) "official" CA, which you definitely cannot 
>> avoid
>> or fix and which issues client certs with non-unique subject-DNs. In this 
>> case
>> one has to choose a certain client cert e.g. by issuer-DN/serial for the 
>> mapping.
> CAs either accept the subject name in the certification request, or they deny
> it, but they never change it.

Not true and also not relevant here.

>> Also consider that you want to off-load revocation checking of client certs
>> to
>> a external process for better performance. In this case you also need to
>> distinguish client certs by some more information than just a subject-DN.
> "you" is the process that handles CRLs. That process should be able to do it
> properly.

What exactly do you want to say?

>> Furthermore it's really not unusal to have several CAs which issue client
>> certs for different purposes. So IMHO it should be possible to map client
>> certs by a certain CA only to a certain subset of authz-DNs.
> That's also wrong: You don't have to observe the issuing CA, but the
> certificate's attributes, like "X509v3 Key Usage".

Well, I'm not new to PKI but I don't get what you say.
I don't want to "observe the CA".

I just want to make sure that client certs issued by CA1 gets mapped to
certain authz-DNs (server objects in my case) and others issued by CA2 gets
mapped to other authz-DNs.

Did you really understand what I wrote?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature