[kmf-discuss] more detailed proposal for cert-to-name mapping
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Feb 25 11:30:23 PST 2008
Jan Pechanec wrote:
> On Mon, 25 Feb 2008, Wyllys Ingersoll wrote:
>
>> What does "match_cert_to_name" do?
>>
>
> checks if the name supplied matches the one in the certificate.
> pam_pkcs11 has it and I think it's a good idea. Some apps will need the
> name, some (ssh) will just need to check if it matches the name supplied.
>
> it might even come in handy for some applications to get full
> username at domain but match it against usename only. Options might say
> "dontmatchdomain". It would be nice if no extra work was needed for the
> developer. match() will be just a simple wrapper around map() in the mapper
> object.
>
>
OK
>>> mapper-setting="ignorecase,ignoredomain"
>>>
>>>
>> Just a nit, but how about "mapper-options" instead of "setting" ?
>>
>
> definitely
>
>
Cool.
>>> mapper_map_cert_to_name(KMF_DATA *cert, KMF_DATA **name);
>>> mapper_match_cert_to_name(KMF_DATA *cert, char *name);
>>>
>> Also consider "mapper_get_error_string(int mapper_errcode, char **err);"
>>
>
> ah, yes, I forgot about this one.
>
> we might want to call it kmf_get_mapper_error_str() so that it's
> consistent with kmf_get_plugin_error_str().
>
>
Yes, good.
>> I agree, but I think "evolving" is now "volatile".
>>
>
> sorry, I've been shifting "read taxonomy docs" in my todo list down
> and down for far too long I guess
>
> I think we might try to implement a prototype before filing an ARC
> case, what do you think? So that we are sure that we have all we want. We
> can use a very simple mapper and I can verify it in my SunSSH+x509 prototype
> implementation then.
>
>
Yes, I can try to prototype the framework parts this week (libkmf,
kmfcfg). If you want to try
and flesh out a simple mapper to go with it.
After this week, I am travelling on business for 2 weeks and then taking
a week of vacation.
So I will try to get a lot done as before I go. I will be many many
time zones away so
email will probably be delayed for a while.
-Wyllys
More information about the kmf-discuss
mailing list