Bonjour, On Wed, 6 Oct 2004, Jesse I Pollard - CONTRACTOR wrote:
> On Wed, 6 Oct 2004, jmt wrote: > > > From: Jesse I Pollard - CONTRACTOR > > > > Yes... this is the most delicate problem. I assume that you are aware > > about how Mario Strasser's module checks the name. In your opinion, what > > would be the best way to get the user name from the card? > > You can't. Not really. > User names vary - on one system it might be based on the last name. > On another, the last name + first initial. And then what about > the case of multiple John Smith, or June Smith, Joe Smith, and Josephine > Smith? > > Or it might be totally unrelated. I've seen user names like U77745 > just because that was the policy at that site. > > Even on the same system you may have multiple logins (I have two - used > for totally different purposes). > > The only unique thing I've been told is an identification number > at the end of the CN string. It starts with a period, and is 10 digits > long. Maybe using that for a lookup of a list of valid login names would > be reasonable. Of course, the list of valid logins is NOT on the card. > And to get the identification number, you must have the user supply the > PIN. My advice would be to do like others do: use an X.509 certificate, and either: * do the Microsoft Way (tm) (see Q281245): add a subjectAltName extension as otherName type, add an AVA with OID 1.3.6.1.4.1.311.20.2.3 (the 1.3.6.1.4.1.311 branch is owned by Microsoft), encode the username (login name) as an UTF8 string, and add the Smart Card Logon OID (1.3.6.1.4.1.311.20.2.2) in the extendedKeyUsage extension, * do the LDAP way: in the subjectName of the certificate, add an uniqueIdentifier (OID 2.5.4.45 - ISO X.500 branch), encode the login name as a DER IA5STRING, encode this DER string as a BITSTRING, and place it as the value of the previous AVA, * do your way: reserve an OID in the 1.3.6.1.4.1 (I have one, it's free), add your own OID for this usage, and either use it as a new AVA in the subjectName or subjectAltName or another totally new extension. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ----- FYLG> Tiens, vl� une URL qui va bien : FYLG> ftp://127.0.0.1/WaReZ/NiouZeS/WinDoZe/NeWSMoNGeR/SuPeR c'est gentil sauf que l'adresse ne fonctionne pas sa me fais une erreur -+- Furtif in Guide du Neuneu Usenet : <MODE CERVEAU OFF> -+- _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
