Dmitry Morozovsky wrote:
> Now i've starring at the very special problem: when user already have
> personal cert from one of master CA, it seems to be "Right Thing" to use
> this cert for authorization instead of making another local user
> certificate. As I understand, the best way to use it -- sign existing cert
> with local CA. Am I wrong at this stage?
As far as I know an X.509 certificate can only be signed by one CA. So
although you could substitute a different signature it would then be a
different certificate that would have to be loaded into the user's
browser separately. This would defeat the object really.
If you wanted you could set your server to trust the CA that originally
issued that user's certificate. Then, of course, you would have to have
a table that says which people are permitted to use your system, rather
than this being implicit in the fact that a user possesses a
certificate. (It is often said that certificates should only be used to
vouch for identity and not as a basis for access control decisions. Of
course in practice people do not always keep to this.)
-----------------------------------------------------------------------
Pete Chown, email [EMAIL PROTECTED], phone +44 (0) 181 680 8393,
fax +44 (0) 181 688 8013, mobile +44 (0) 468 765 645,
post 58 Foss Avenue, Croydon, CR0 4EU, England
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
