[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

On Mar 10, 2008, at 8:14 AM, Love Hörnquist Åstrand wrote:

>>> Right, it would be better is there was a selection/acl language i  
>>> hx509 that could be used. But I've not gone down that road since  
>>> the need have not been there.
>>> The cert list is in memory, and the lookups can be cached if its  
>>> shown to be slow.
>> I expect to need to do pkinit with PIV card certs which contain a  
>> the Microsoft attributes.  However I will need to ignore those  
>> attributes.
> I just changed the code to search for ietf pk-init eku first, then  
> ms smartcard eku and last no eku. This is better then "pick some  
> certificate".
> I guess that wont work for you Henry. How does your selection  
> language look like.
> Love

If we can do things the way we want, then it should work fine.  I  
think.  We hope to put both a MS eku and the ietf pk-init eku on the  
card with different values.

Our problem is that the organization issuing the cards covers more  
than one utilizing organization.  The utilizing organizations will  
need different priorities (we think), and they will want to access  
each other's infrastructure.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu