[kmf-discuss] DN/subjectAltName mapping to username
Jan Pechanec
Jan.Pechanec at Sun.COM
Thu Dec 20 09:42:05 PST 2007
On Thu, 20 Dec 2007, Wyllys Ingersoll wrote:
> Now that I understand this a bit better, I think we can put the mapping rule
> into
> the KMF policy file, which is already managed by the "kmfcfg(1)" utility. It
> can be expanded to support a new policy attribute for mapping names and cert
> attributes. We just need to figure out how we will specify the rules.
do you mean that it could be dynamic, ie. that the mapping could be
done in an external module that would be dlopen()'ed, for example? So that
adding a new mapping wouldn't need a change in KMF itself or DTD?
> KMF consumers read the system policy whenever they initialize a KMF handle,
> so it is possible to have different policies with different mapping rules used
> by
> different applications. Or even the same application can theoretically have
> multiple KMF handles initialized, each with different policies attached to
> them.
exactly. SSH would probably use several policies. Every "Host"
section in .ssh/config could define a policy, depending on a set of machines
to connect to. With another resync with OpenSSH, similar approach could be
used for server side, too.
Jan.
--
Jan Pechanec
More information about the kmf-discuss
mailing list