dn and san matching
Kevin Coffman
kwc at citi.umich.edu
Mon May 21 21:46:11 EDT 2007
On 5/21/07, Nebergall, Christopher <cneberg at sandia.gov> wrote:
> I'm assuming the reg-exp is against the whole DN so you can match
> against multiple components of the DN? Correct?
> pkinit_dn_san_match = ||SUBJECT:^OU = CITI,OU=UMICH.*,ISSUER:.*EDU$
Yes. With the caveat that rfc2253 allows (requires) much leniency in
the string representation. (Spaces between components, around "=",
around "+", around commas, etc.) So that could be "OU=CITI,OU=UMICH"
or "OU = CITI , OU = UMICH". This can be tricky to get right.
> Should searching for a specific client EKU OID also be in the list? Some
> CA vendors ship certificate pairs: encryption and signature and have
> identical DN's and issuers the only difference between them will be EKU,
> and normal key usage bits.
I thought we already filtered for DigitalSignature, but I'm not seeing
that. I'll think about how to handle EKU and other usage bits.
> >>> Otherwise, we could change our rule and just return the first cert
> that matches one of the rules. In that case, the admin should define
> the rules from most-specific to least-specific.
>
> First cert match seems OK, leaves it up to the admin to be specific
> enough.
Good. That makes it a bit simpler.
More information about the krbdev
mailing list