[RFC] EXTERNAL auth choosing between CN and email address?

[Kevin P. Fleming]

Marco Colombo wrote:

> What field is that, exaclty? v3 extension?

I'm not sure... it's in the OpenSSL headers files as 
"NID_pkcs9_emailAddress".

> Anyway, the goal of authentication is to identify users not email
> addresses. The whole idea of using certs is broken, unless you use
> the cert itself. No CA makes any attempt to provide _unique_ information.
> And the uniqueness of an email address it pretty weak. The only unique
> info you can extract from a cert is the public key, which is what you're
> actually using to identify the remote party.

I agree, but in this case the email address _is_ the user name.

> Of course, if your server trust only _one_ CA, and you have control
> on how that CA works, you can use certs safely. You can make sure
> CN data (or any data) is unique.

Exactly, that's the only scenario where this is viable. When I document 
this for people to use, I'll make that perfectly clear: if you configure 
your system to accept _any_ client certificate, you are not doing 
yourself any good. This method _only_ works when you are administering 
the CA yourself and have complete control over the contents of the certs 
and who has access to them. Granted, I could also just make the CN in 
the cert be the user's email address, but I'd rather leave it as their 
full name (it's much nicer in Horde that way, plus we also use it for Trac).
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html