[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

On Mar 17, 2008, at 4:31 PM, Henry B. Hotz wrote:

> I'm probably mixing different levels of selection in my thinking.  I  
> do not know if there will be more than one cert on the card that we  
> might have to worry about.  There isn't on the prototype I have and  
> I hope that will be the same for the real cards.  IIUC your  
> selection expression is to choose which cert is to be used.

DoD CACs and Federal PIVs have at least two certs (and probably three  
in many PIV PKIs) that meet the minimal PKINIT criteria (i.e.,  
digitialSignature--PIV auth cert and the email signing cert, possibly  
a non-email identity cert).

While in CACs and PIVs hold only one *set* of certs all from the same  
PKI and only one cert will assert any PKINIT EKUs (whether MS or  
IETF), the capability for an expressive filtering language would be  
useful for someone working with a multi-organization card with more  
than one credential set loaded.

It's a good idea, even if I won't use it.  :)

-- Tim