On 2009.11.11 at 16:04:12 +0100, David Sommerseth wrote: > I completely agree, that under normal circumstances, it should be enough > by letting OpenSSL take care of the certificate chain. But as OpenVPN > now do list more certificates already, I was just trying to keep that > possibility still open. > > In the OpenVPN plug-in I've written which does username, password and > certificate authentication, I've been playing with an idea of using the > certificate chain to apply different "rules" (network, login hours, etc) > based on the certificate chain as well.
I think it is what certificate policies are for (see RFC 5280). Unfortinately policy support is very poorly documented in the OpenSSL (although some documentation for certificate chain verification was added in 1.0.0 beta 4 and it is applicable to early versions as well) So my patch for policy checking allows only to specify several policies to accept. It doesn't pass that policy which was found in the certificate after all policy mappings found in CA certificates were applied to scripts/plugins. There are also attribute certificates which can be used for such autorization purposes as well.
