[RFC] EXTERNAL auth choosing between CN and email address?
Kevin P. Fleming
kpfleming at starnetworks.us
Thu Feb 24 11:44:54 EST 2005
Marco Colombo wrote:
> What field is that, exaclty? v3 extension?
I'm not sure... it's in the OpenSSL headers files as
"NID_pkcs9_emailAddress".
> Anyway, the goal of authentication is to identify users not email
> addresses. The whole idea of using certs is broken, unless you use
> the cert itself. No CA makes any attempt to provide _unique_ information.
> And the uniqueness of an email address it pretty weak. The only unique
> info you can extract from a cert is the public key, which is what you're
> actually using to identify the remote party.
I agree, but in this case the email address _is_ the user name.
> Of course, if your server trust only _one_ CA, and you have control
> on how that CA works, you can use certs safely. You can make sure
> CN data (or any data) is unique.
Exactly, that's the only scenario where this is viable. When I document
this for people to use, I'll make that perfectly clear: if you configure
your system to accept _any_ client certificate, you are not doing
yourself any good. This method _only_ works when you are administering
the CA yourself and have complete control over the contents of the certs
and who has access to them. Granted, I could also just make the CN in
the cert be the user's email address, but I'd rather leave it as their
full name (it's much nicer in Horde that way, plus we also use it for Trac).
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list