dn and san matching
kwc at citi.umich.edu
Thu May 24 17:31:38 EDT 2007
On 5/22/07, Sam Hartman <hartmans at mit.edu> wrote:
> I thought we had fairly strong agreement that you needed to narrow
> down to one cert.
> If you don't you may end up asking for the pin for the wrong cert and
> locking a smart card.
OK, my current plan is to parse one rule line at a time and run it
against all available certs. If I wind up with exactly one match, go
with it. Otherwise, continue to the next rule. Does that sound
BTW, I've modified the syntax to make parsing and visualization (I
hope) a bit easier:
[ && | || ] [<SUBJECT><reg-exp>] [<ISSUER><reg-exp>] [<SAN><reg-exp>]
So an example might look like:
Subject must contain "DoD"
AND Issuer must contain "DoD"
AND must have a pkinit or upn san for realm ABC.GOV
AND must have msScLogin AND clientAuth EKU
AND must have digitalSignature KU
Suggestions for improvement?
More information about the krbdev