[Freeipa-devel] [RFC] Matching and Mapping Certificates
Jan Cholasta
jcholast at redhat.com
Mon Jan 2 08:18:47 UTC 2017
On 18.10.2016 07:34, Jan Cholasta wrote:
> On 17.10.2016 16:50, Rob Crittenden wrote:
>> Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 13.10.2016 18:52, Sumit Bose wrote:
>>>> ===== Issuer specific matching =====
>>>> Although the MIT Kerberos rules allow to select the issuer of a
>>>> certificate there are use cases where a more specific selection is
>>>> needed. E.g. if there are some default matching rules for all issuers
>>>> and some other issuer specific rules where the default rules should
>>>> not apply. To make this possible with the above scheme the default
>>>> rules must have an <ISSUER> clause which matches all but the issuer
>>>> with the specific rules. Writing regular-expressions to not match a
>>>> specific string or a list of strings is at least error-prone if not
>>>> impossible.
>>>>
>>>> To make it easier to define issuer specific rules and default rules at
>>>> the same time and optional issuer string can be added to the rule to
>>>> indicate that for the given issuer only those rules should be
>>>> considered. Given the use-case I think it is acceptable to require
>>>> that the full issuer must be specified here in LDAP order (see below)
>>>> and case-sensitive matching is used.
>>>
>>> This could also be solved by adding priority to rules - if two rules
>>> match, the one with higher priority (the issuer specific rule) is
>>> preferred over the one with lower priority (the default rule). IMO this
>>> is better than an optional issuer string as it offers greater
>>> flexibility.
>>
>> The use cases I've seen haven't had to do with priority, though that
>> would be a nice enhancement, but with only allowing certificates issued
>> by a specific CA to be allowed (this is pretty common in web servers).
>> Being able to say "only do the matching on certificates issued by foo"
>> is valuable.
>
> Sure, I'm not suggesting that matching by issuer should be removed, only
> that rule precedence should not be determined by the issuer field setting.
>
Bump. Sumit, what is your opinion on this?
--
Jan Cholasta
More information about the Freeipa-devel
mailing list