[kmf-discuss] DN/subjectAltName mapping to username
Jan Pechanec
Jan.Pechanec at Sun.COM
Thu Jan 3 10:05:52 PST 2008
On Fri, 21 Dec 2007, Nicolas Williams wrote:
>Whatever the syntax, the choices don't seem trivial. There are too many
>options, and it's not necessarily clear which ones we shouldn't bother
>with (we'd need a lot of data on both, existing and planned PKI
>deployments, as well as on CA software capabilities).
hi, picking up where we last left off before xmas...
when I see your list and when I read again the example config file
for pam_pkcs11 module, I'm thinking that we should implement mapper modules.
The policy would specify a module path + optional configuration file and
everything else would be up to the module which would export some API. So,
if anything is to be changed, only the module (or a new one) is needed to be
changed (or provided).
and this is how pam_pkcs11 works, the module uses other mapper
modules. So, this leads to a suggestion simply to use the same modules as
pam_pkcs11 uses, and possibly provide new ones when needed. The existing set
of modules is quite rich already, and includes modules for both (2) and (3).
So, the policy could specify the mapper name and everything else could be in
pam_pkcs11.conf, or we could provide a different configuration file with the
same syntax if the system wide configuration is not what we want.
thoughts?
> - (2). Certs can have multiple SANs, including multiple rfc822Name
> SANs, and it's not much to ask that CAs issue their users certs with
> an rfc822Name SAN that is of the form <username>@<domain>.
>
> - (3). Folks deploying PKIs can be expected to have LDAP directories
> deployed as well. Asking them to add an indexed attribute for
> mapping certs to user objects should be OK.
--
Jan Pechanec
More information about the kmf-discuss
mailing list