[kmf-discuss] DN/subjectAltName mapping to username
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Dec 20 11:35:12 PST 2007
Massimiliano Pala wrote:
> Jan Pechanec wrote:
> > those auxiliary files with various mapping information. Obviously
> > some mappers wouldn't need such files, CN mapper for example.
>
> Really, I am sorry to stress this point, but you should at least use
> CN+CA to identify a user.
Yes, you cannot rely on CN alone. Agreed.
>
> >> If so, then we also need to introduce a new tool (or maybe
> >> enhance an existing
> [...]
> >> If we create this "kmf_map_cert_to_username()" function, what
> >> would it actually do? A process calling this may or may not be
> >> privileged enough to update the mapping table
> >
> > kmf_map_cert_to_username() shall return a username or an error
> > code.
> [..]
>
> What about integrating into a PAM module ? I think that this function
> is not (should not) included into KMF. Instead, as it is more a user
> auth issue, IMHO this function should be provided by a PAM module
> (that will make use of KMF).
I disagree here. The ability to map a certificate to a user is very much
a KMF function. This ability by itself does not constitute any sort of
authentication. Though it would definitely be used by an authentication
module, I don't think that it should be it's own auth module.
Huie-Ying is working on the pam_pkcs11 module, that module could be a
consumer of the KMF mapping feature though.
-Wyllys
More information about the kmf-discuss
mailing list