Fwd: pkinit SAN and EKU checking

[Kevin Coffman]

On 5/14/07, Douglas E. Engert <deengert at anl.gov> wrote:
>
>
> Kevin Coffman wrote:
> > Sam suggested I forward this here.  Comments/suggestions welcome.
>
>
> What about mixed environments where some certs (may be issued by
> a local CA) and some others are issued by some external CA.
> So are you sans and eku checking based on the issuer CA?
>
> Examples could be using PIV smart cards issued by federal
> government for a small number of outside users, with most
> users using soft certs issued by local site.
>
> It looks like external could always be used if needed.
> but then all uses would have to be handled that way.

Yes, this quickly becomes more complicated with the amount of
flexibility allowed.  I think the external checking should deal with
this complexity.

As an example, there are at least two ways to handle the SAN checking:

1) if (pkinit san found and correct)
      return success
    else if (dns/upn san allowed, and present, and correct)
      return success
    else if (external mapping function)
      return result of external mapping function

2) if (external mapping function)
      return result of external mapping function
   else if (pkinit san found and correct)
      return success
   else if (dns/upn san allowed, and present, and correct)
       return success
   return not trusted

I was going for option 2) where the external function could also
short-circuit things by looking for the pkinit san or dns/upn if
desired.  Or do so with more complicated rules such as involving the
issuing CA in the decision.

K.C.