[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

>> Right, it would be better is there was a selection/acl language i  
>> hx509 that could be used. But I've not gone down that road since  
>> the need have not been there.
>> The cert list is in memory, and the lookups can be cached if its  
>> shown to be slow.
> I expect to need to do pkinit with PIV card certs which contain a  
> the Microsoft attributes.  However I will need to ignore those  
> attributes.

I just changed the code to search for ietf pk-init eku first, then ms  
smartcard eku and last no eku. This is better then "pick some  

I guess that wont work for you Henry. How does your selection language  
look like.