[Freeipa-devel] [RFC] Matching and Mapping Certificates

[Rob Crittenden]

Jan Cholasta wrote:
> Hi,
>
> On 13.10.2016 18:52, Sumit Bose wrote:
>> ===== Issuer specific matching =====
>> Although the MIT Kerberos rules allow to select the issuer of a
>> certificate there are use cases where a more specific selection is
>> needed. E.g. if there are some default matching rules for all issuers
>> and some other issuer specific rules where the default rules should
>> not apply. To make this possible with the above scheme the default
>> rules must have an <ISSUER> clause which matches all but the issuer
>> with the specific rules. Writing regular-expressions to not match a
>> specific string or a list of strings is at least error-prone if not
>> impossible.
>>
>> To make it easier to define issuer specific rules and default rules at
>> the same time and optional issuer string can be added to the rule to
>> indicate that for the given issuer only those rules should be
>> considered. Given the use-case I think it is acceptable to require
>> that the full issuer must be specified here in LDAP order (see below)
>> and case-sensitive matching is used.
>
> This could also be solved by adding priority to rules - if two rules
> match, the one with higher priority (the issuer specific rule) is
> preferred over the one with lower priority (the default rule). IMO this
> is better than an optional issuer string as it offers greater flexibility.

The use cases I've seen haven't had to do with priority, though that 
would be a nice enhancement, but with only allowing certificates issued 
by a specific CA to be allowed (this is pretty common in web servers). 
Being able to say "only do the matching on certificates issued by foo" 
is valuable.

rob