[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: dn and san matching
From: "Kevin Coffman" <kwc () citi ! umich ! edu>
Date: 2007-05-24 21:31:38
Message-ID: 4d569c330705241431n208b460dw4f82df9954be0eda () mail ! gmail ! com
[Download RAW message or body]
On 5/22/07, Sam Hartman <hartmans@mit.edu> wrote:
> I thought we had fairly strong agreement that you needed to narrow
> down to one cert.
>
> If you don't you may end up asking for the pin for the wrong cert and
> locking a smart card.
OK, my current plan is to parse one rule line at a time and run it
against all available certs. If I wind up with exactly one match, go
with it. Otherwise, continue to the next rule. Does that sound
reasonable?
BTW, I've modified the syntax to make parsing and visualization (I
hope) a bit easier:
[ && | || ] [<SUBJECT><reg-exp>] [<ISSUER><reg-exp>] [<SAN><reg-exp>]
[<EKU>[pkinit|msScLogin|clientAuth|emailProtection],...]
[<KU>[digitalSignature|keyEncipherment],...]
So an example might look like:
&&<SUBJECT>.*DoD.*<ISSUER>.*DoD.*<SAN>.*@ABC.GOV<EKU>msScLogin,clientAuth<KU>digitalSignature
Which says:
Subject must contain "DoD"
AND Issuer must contain "DoD"
AND must have a pkinit or upn san for realm ABC.GOV
AND must have msScLogin AND clientAuth EKU
AND must have digitalSignature KU
Suggestions for improvement?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic