> > the box. And the answer is, that if you want to do client auth with
> > PKI then you can't. You need to modify the code to support whatever
> > local system is in use for certificate to ID mapping.
>
> That's simply not true. There's plenty of other ways to do it (e.g.
> trust certain CAs,
> > I'm not looking for a magic bullet. What I am looking for is a method
> > to package and distribute clients and servers that will work out of
> > the box.
>
> include simple CA with your server management software.
but I am providing just one daemon. Not a suite of services. You
don't wa
Jeffrey Altman wrote:
>
> > >What is the purpose of global CAs such as
> > >Verisign if I can't trust the certificates to identify an end user?
> >
> > That is indeed the question. At least the part before the "if" :)
> >
> > At least now you can have a single value (subject,issuer,serial#)
> >
> >What I was hoping to determine from this thread was whether or not by
> >using a verified cert one could determine in a trusted manner who the
> >user is.
you should read SPKI RFC's (2692 and 2693).
arne
__
OpenSSL Projec
On Mon, 8 Nov 1999, Jeffrey Altman wrote:
[...]
>
> What I was hoping to determine from this thread was whether or not by
> using a verified cert one could determine in a trusted manner who the
> user is. It sounds to me like the answer to that is 'no'. That if a
> user wants to use a Verisign
On Sun, 7 Nov 1999, Jeffrey Altman wrote:
> > I'm just mapping public keys (which you can extract from any certificate,
> > whoever signed it) to user-ids. This mapping is stored in a SQL database
> > contaning additional data, like what services the user can use, which urls
> > (s)he can acces
> On Sun, 7 Nov 1999, Paul Khavkine wrote:
>
> > Maybe you should try kerberosV
>
> Is there a (practical!) way to use kerberosV with IE, Netscape, Outlook,
> Eudora and all the stuff which end-users use?
Actually, yes. But that is not the reason for my desire to determine
how Cert Mapping s
On Sun, 7 Nov 1999, Paul Khavkine wrote:
> Maybe you should try kerberosV
Is there a (practical!) way to use kerberosV with IE, Netscape, Outlook,
Eudora and all the stuff which end-users use?
__
OpenSSL Project
Maybe you should try kerberosV
On Sun, 07 Nov 1999, you wrote:
> On Tue, 2 Nov 1999, Jeffrey Altman wrote:
>
> > (sorry about the null message.)
> >
> > I am looking for a summary of people's experiences with using client
> > certs to authenticate end users to Unix services.
> >
> > How are
> I'm just mapping public keys (which you can extract from any certificate,
> whoever signed it) to user-ids. This mapping is stored in a SQL database
> contaning additional data, like what services the user can use, which urls
> (s)he can access and the like.
>
> I'm using this aproach since mor
On Tue, 2 Nov 1999, Jeffrey Altman wrote:
> (sorry about the null message.)
>
> I am looking for a summary of people's experiences with using client
> certs to authenticate end users to Unix services.
>
> How are you mapping a client cert to a local Unix account name?
>
> Are you using a f
>One approach would be to use the email field.
No no no no no no no no!
There is no such thing as an "email" field. Many older
CA's (eg., the early Verisign's) used this RDN, which
was defined in PKCS9. *That's wrong.*
The proper thing to do is use the subjectAltNames
extension.
/r$
Jeffrey Altman wrote:
>
>
> I am looking for a summary of people's experiences with using client
> certs to authenticate end users to Unix services.
>
> How are you mapping a client cert to a local Unix account name?
>
> Are you using a field within the cert? If so, which one(s)? Are
> diffe
Jeffrey Altman wrote:
> How are you mapping a client cert to a local Unix account name?
>
> Are you using a field within the cert? If so, which one(s)? Are
> different fields used for different services?
>
> Or are you using some form of Certificate MApping Service which takes
> a validated c
Jeffrey Altman wrote:
>
> (sorry about the null message.)
>
> I am looking for a summary of people's experiences with using client
> certs to authenticate end users to Unix services.
>
> How are you mapping a client cert to a local Unix account name?
>
> Are you using a field within the cert?
15 matches
Mail list logo
