Thank you very much for the response. For both the responses I got, it looks like the server need to access the information (whether identity or attribute or whatever) present in the certificate and use that to decide the permissions for the peer that represented this certificate. Is my understanding correct?
> > Yes. The problem of granting access based on membership in a > > group is an authorization problem. > > This doesn't have > > anything to do with certificates -- permissions and roles > > change independently of binding of key to identity. LDAP, > > flat files, /etc/group, etc. I also agree that this is authorization problem. I was just trying to get information on whether certificate handling in openssl restricts me from issuing certificates to a group instead of individuals. I guees I know it now. > Mostly correct. Often is convenient to have not only identity - but also > "attributes" of it certified. I.e. for the sake of the argument identity > "Michael" may have an attribute "employee of Tenebras", and another > attribute "permitted access to dev repository A12". > I'm driving at Attribute Certificates. They are supposed to have shorter > life than identity certs, but still long enough to be usable. > > > You could have a hierarchy, with a subordinate CA for each > > role or group, if you want to manage it that way. I wouldn't. > > He would have to have attribute CA's for each attribute - not necessarily > for each value of the attribute. I.e. an attribute CA "Personnel Department" > could issue attribute certificates "employed in position X", " granted > access to resource Y"... Sounds good. Now, my server will be expecting a few specfic attributes in the certificate presented by peer, in order to regulate access to different services, right? So the question is which APIs in openssl allow me to access this information in the certificate? Also, it will be really great if someone could explain the default certificate verification process in openssl. Thank you once again for your response. ~ Urjit DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
