dn and san matching

Kevin Coffman kwc at citi.umich.edu
Thu May 24 17:31:38 EDT 2007

On 5/22/07, Sam Hartman <hartmans at mit.edu> wrote:
> I thought we had fairly strong agreement that you needed to narrow
> down to one cert.
> If you don't you may end up asking for the pin for the wrong cert and
> locking a smart card.

OK, my current plan is to parse one rule line at a time and run it
against all available certs.  If I wind up with exactly one match, go
with it.  Otherwise, continue to the next rule.  Does that sound

BTW, I've modified the syntax to make parsing and visualization (I
hope) a bit easier:

[ && | || ] [<SUBJECT><reg-exp>] [<ISSUER><reg-exp>] [<SAN><reg-exp>]

So an example might look like:


Which says:
Subject must contain "DoD"
AND Issuer must contain "DoD"
AND must have a pkinit or upn san for realm ABC.GOV
AND must have msScLogin AND clientAuth EKU
AND must have digitalSignature KU

Suggestions for improvement?

More information about the krbdev mailing list