[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
>> Right, it would be better is there was a selection/acl language i
>> hx509 that could be used. But I've not gone down that road since
>> the need have not been there.
>> The cert list is in memory, and the lookups can be cached if its
>> shown to be slow.
> I expect to need to do pkinit with PIV card certs which contain a
> the Microsoft attributes. However I will need to ignore those
I just changed the code to search for ietf pk-init eku first, then ms
smartcard eku and last no eku. This is better then "pick some
I guess that wont work for you Henry. How does your selection language