[kmf-discuss] DN/subjectAltName mapping to username
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Dec 20 09:49:06 PST 2007
Jan Pechanec wrote:
> On Thu, 20 Dec 2007, Wyllys Ingersoll wrote:
>
> > Now that I understand this a bit better, I think we can put the
> > mapping rule into the KMF policy file, which is already managed by
> > the "kmfcfg(1)" utility. It can be expanded to support a new
> > policy attribute for mapping names and cert attributes. We just
> > need to figure out how we will specify the rules.
>
> do you mean that it could be dynamic, ie. that the mapping could be
> done in an external module that would be dlopen()'ed, for example? So
> that adding a new mapping wouldn't need a change in KMF itself or
> DTD?
The mapping would be applied down inside of the kmf_map_cert_to_user()
function according to whatever is specified in the policy associated
with the KMF handle. Nothing would need to be dlopen-ed. One can
always call kmf_set_policy() to change the policy currently associated
with the KMF handle which re-reads the policy file and should catch any
updates.
Adding a new mapping would not require a change to the DTD, though it would
require an update of the KMF policy file via kmfcfg(1).
>
> > KMF consumers read the system policy whenever they initialize a KMF
> > handle, so it is possible to have different policies with different
> > mapping rules used by different applications. Or even the same
> > application can theoretically have multiple KMF handles
> > initialized, each with different policies attached to them.
>
> exactly. SSH would probably use several policies. Every "Host"
> section in .ssh/config could define a policy, depending on a set of
> machines to connect to. With another resync with OpenSSH, similar
> approach could be used for server side, too.
>
> Jan.
>
Yes.
-Wyllys
More information about the kmf-discuss
mailing list