Re: Mapping Certs to local account names: is there a standard practice?

Wed, 3 Nov 1999 04:49:36 -0800 

Jeffrey Altman wrote:
> 
> 
> I am looking for a summary of people's experiences with using client
> certs to authenticate end users to Unix services.
> 
> How are you mapping a client cert to a local Unix account name?
> 
> Are you using a field within the cert?  If so, which one(s)?  Are
> different fields used for different services?
> 
> Or are you using some form of Certificate MApping Service which takes
> a validated cert as input and returns a local account name?  If so,
> how are you implementing this service?
> 
> Are you issuing a single cert for multiple services?  Or one cert per
> service?
> 

Well I haven't done this personally but...

The subject name or one of its fields isn't the ideal place unless you
map the whole subject name to a user ID.

A better place to put these things is in an extension. One example which
is specifically intended for this purpose is the Thawte strong extranet
extension which can be read by OpenSSL but generating it on a per-user
basis isn't properly supported. There are some papers on this on
www.thawte.com.

If you are issuing certificates yourself then you can use any mapping
you like. If however you are using an external authority then you are
effectively giving them the power to access your accounts if you just
rely on a field or extension: you may not want to give them this power.

A different technique is to map the public key of the certificate or
something like the hash of the certificate to a user ID. This has the
advantage that the hash cannot be forged by a rogue CA unless they know
the users private key (which they wont in general). This means that any
CA can be used even self signed certificates.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to