dn and san matching

Kevin Coffman kwc at citi.umich.edu
Mon May 21 21:46:11 EDT 2007

On 5/21/07, Nebergall, Christopher <cneberg at sandia.gov> wrote:
>  I'm assuming the reg-exp is against the whole DN so  you can match
> against multiple components of the DN? Correct?

>  pkinit_dn_san_match = ||SUBJECT:^OU = CITI,OU=UMICH.*,ISSUER:.*EDU$

Yes.  With the caveat that rfc2253 allows (requires) much leniency in
the string representation.  (Spaces between components, around "=",
around "+", around commas, etc.)  So that could be "OU=CITI,OU=UMICH"
or "OU = CITI , OU = UMICH".  This can be tricky to get right.

> Should searching for a specific client EKU OID also be in the list? Some
> CA vendors ship certificate pairs: encryption and signature and have
> identical DN's and issuers the only difference between them will be EKU,
> and normal key usage bits.

I thought we already filtered for DigitalSignature, but I'm not seeing
that.  I'll think about how to handle EKU and other usage bits.

> >>> Otherwise, we could change our rule and just return the first cert
> that matches one of the rules.  In that case, the admin should define
> the rules from most-specific to least-specific.
> First cert match seems OK, leaves it up to the admin to be specific
> enough.

Good.  That makes it a bit simpler.

More information about the krbdev mailing list