[kmf-discuss] DN/subjectAltName mapping to username
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Dec 20 08:32:20 PST 2007
Nicolas Williams wrote:
> On Thu, Dec 20, 2007 at 05:22:06PM +0100, Jan Pechanec wrote:
>
>> On Thu, 20 Dec 2007, Nicolas Williams wrote:
>>
>>
>>>> - ignore domain if applicable (eg. mail-to-user mapper)
>>>>
>>> That could only be OK if the set of trust anchors is narrow enough.
>>>
>> hmm, not sure what you mean by this. If I understand that correctly,
>> one KMF policy means one trusted anchor only. J.
>>
>
> But that trust anchor could be a root CA for a very large namespace, or
> one for a very small namespace. In the former case using an e-mail addr
> SAN minus the @domain part regardless of what the domain was seems...
> like asking for trouble.
>
Agreed, that was one of the points I was trying to make originally. Max
has also
made the point that if we only want to map a single cert per UID (is
that a requirement?),
then the fields from the cert that are used must be uniquely
identifiable within a
given CA's namespace.
-Wyllys
More information about the kmf-discuss
mailing list