[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
From: Timothy J Miller <tmiller@mitre.org>
Date: Tue, 18 Mar 2008 08:58:17 -0500
Cc: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <9645FDA4-5C5E-49CF-9719-90C60BEC1A5C@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <6455A0C9-FF84-46A3-A05F-DDC6C0500A12@mitre.org> <37AB5B0F-20FB-4B1B-92B0-A1C79AF19643@kth.se> <2BDE73D6-2FBA-4A71-9E3E-A1166B77CB9C@mitre.org> <8978F34A-2F2F-4BC5-8797-8E71E3C5F90E@kth.se> <0EAE1BB4-FB2B-4D56-A84F-DBCC41ADF43E@jpl.nasa.gov> <8BDC7CE6-1359-4F26-889D-C7F6FD8A1D84@kth.se> <6550F2DB-EC48-4D9F-B6F1-AB85E1BBAF66@jpl.nasa.gov> <E49FDDDD-BB90-4563-B601-1171D6FE3C93@kth.se> <9645FDA4-5C5E-49CF-9719-90C60BEC1A5C@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Timothy J Miller <tmiller@mitre.org>

On Mar 17, 2008, at 4:31 PM, Henry B. Hotz wrote:

> I'm probably mixing different levels of selection in my thinking.  I  
> do not know if there will be more than one cert on the card that we  
> might have to worry about.  There isn't on the prototype I have and  
> I hope that will be the same for the real cards.  IIUC your  
> selection expression is to choose which cert is to be used.

DoD CACs and Federal PIVs have at least two certs (and probably three  
in many PIV PKIs) that meet the minimal PKINIT criteria (i.e.,  
digitialSignature--PIV auth cert and the email signing cert, possibly  
a non-email identity cert).

While in CACs and PIVs hold only one *set* of certs all from the same  
PKI and only one cert will assert any PKINIT EKUs (whether MS or  
IETF), the capability for an expressive filtering language would be  
useful for someone working with a multi-organization card with more  
than one credential set loaded.

It's a good idea, even if I won't use it.  :)

-- Tim

smime.p7s

References:
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by Date: Re: Heimdal 1.1
Prev by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Index(es):
- Date
- Thread