[kmf-discuss] DN/subjectAltName mapping to username

Wyllys Ingersoll wyllys.ingersoll at sun.com
Thu Dec 20 09:04:59 PST 2007 

Jan Pechanec wrote:
> On Wed, 19 Dec 2007, Huie-Ying Lee wrote:
>
> 	hi Huie-Ying,
>
>   
>> Initially, I was not sure whether KMF is the right place for this when
>> Jan brought up the idea.  However, after thinking it over a little bit,
>> it makes more and more sense to me.   Adding a new library with
>> a new policy file will make things more complicate. Given that KMF supports
>> many kmf_get_cert_xxx() APIs already.  Adding kmf_map_cert_to_username()
>> shouldn't be too odd.
>>     
>
> 	I've just read through your pam_pkcs11 materials and what it 
> provides seems to fit in what we need for SunSSH. So, if KMF team was 
> willing to somehow expose this functionality through KMF API that would be 
> great.
>
> 	from the list of mappers I would say that it should be enough to 
> support quite a large set of mappings. And there still was anything missing 
> for SunSSH/x509 project I'm definitely willing to write or help with a 
> mapper that would be needed.
>
> 	I think that there might be not too large set of attributes to 
> define a mapping:
>
> 	- a module name
> 	- filename for "xxx -> user" mapping if needed
> 	- ignore case if applicable
> 	- a few attributes (host, port, password, ...) for directory-like 
> mapper like LDAP one
> 	- ignore domain if applicable (eg. mail-to-user mapper)
> 	- algorithm (eg. digest mapper)
>
> 	I would be definitely willing to help with design for this, if 
> needed.
>
> 	thanks, Jan.
>   

I like the proposals so far, but I would like to hear more details.   
KMF is not a daemon process
that maintains state of any kind.  So, where would these mapping be 
maintained and managed?
Are we going to introduce a new file/database of some sort that KMF will 
then be able to read?
If so, then we also need to introduce a new tool (or maybe enhance an 
existing one) that manages
the database of mappings.  If we want to be really flexible, we could 
create some sort of mapping
syntax language that would allow the administrator to create mappings 
from any number of
valid x509 fields (or from a limited set).   Or we could be more 
restrictive in the first attempt
and just choose a few fixed mappings that we think would be most useful.

If we create this "kmf_map_cert_to_username()" function, what would it 
actually do?  A
process calling this may or may not be privileged enough to update the 
mapping table
(I'm assuming that would have to be a privileged operation).   I think 
we need 2 offer
2 APIs - one to create a mapping and one to find a username from a given 
cert.

-Wyllys

More information about the kmf-discuss mailing list