dn and san matching
Kevin Coffman
kwc at citi.umich.edu
Thu May 24 17:31:38 EDT 2007
On 5/22/07, Sam Hartman <hartmans at mit.edu> wrote:
> I thought we had fairly strong agreement that you needed to narrow
> down to one cert.
>
> If you don't you may end up asking for the pin for the wrong cert and
> locking a smart card.
OK, my current plan is to parse one rule line at a time and run it
against all available certs. If I wind up with exactly one match, go
with it. Otherwise, continue to the next rule. Does that sound
reasonable?
BTW, I've modified the syntax to make parsing and visualization (I
hope) a bit easier:
[ && | || ] [<SUBJECT><reg-exp>] [<ISSUER><reg-exp>] [<SAN><reg-exp>]
[<EKU>[pkinit|msScLogin|clientAuth|emailProtection],...]
[<KU>[digitalSignature|keyEncipherment],...]
So an example might look like:
&&<SUBJECT>.*DoD.*<ISSUER>.*DoD.*<SAN>.*@ABC.GOV<EKU>msScLogin,clientAuth<KU>digitalSignature
Which says:
Subject must contain "DoD"
AND Issuer must contain "DoD"
AND must have a pkinit or upn san for realm ABC.GOV
AND must have msScLogin AND clientAuth EKU
AND must have digitalSignature KU
Suggestions for improvement?
More information about the krbdev
mailing list