Ulrich Windl wrote:
Michael Strödermichael@stroeder.com schrieb am 01.11.2013 um 19:26 in
Unfortunately it's not that easy:
Consider a (somewhat broken) "official" CA, which you definitely cannot avoid or fix and which issues client certs with non-unique subject-DNs. In this case one has to choose a certain client cert e.g. by issuer-DN/serial for the mapping.
CAs either accept the subject name in the certification request, or they deny it, but they never change it.
Not true and also not relevant here.
Also consider that you want to off-load revocation checking of client certs
to a external process for better performance. In this case you also need to distinguish client certs by some more information than just a subject-DN.
"you" is the process that handles CRLs. That process should be able to do it properly.
What exactly do you want to say?
Furthermore it's really not unusal to have several CAs which issue client certs for different purposes. So IMHO it should be possible to map client certs by a certain CA only to a certain subset of authz-DNs.
That's also wrong: You don't have to observe the issuing CA, but the certificate's attributes, like "X509v3 Key Usage".
Well, I'm not new to PKI but I don't get what you say. I don't want to "observe the CA".
I just want to make sure that client certs issued by CA1 gets mapped to certain authz-DNs (server objects in my case) and others issued by CA2 gets mapped to other authz-DNs.
Did you really understand what I wrote?
Ciao, Michael.