[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AC509 Login Name
Hi Nick,
> I am working on the use of attribute certificates for secure access to a
> database, where the user's global identity authenticated using SSL/TLS needs
> to be securely mapped to a local login name.
>
> I presume that the Access Identity, as defined in 4.5.2 of
> <draft-ietf-pkix-ac509prof-01>, can be used for this function.
That's the intent.
> However, I cannot find an existing name form defined in X.509 for
> GeneralNames which could be used for a local login name.
Bit naughty, but what about using rfc822Name? It does map reasonably
well in lots of cases so long as IA5String isn't a problem.
> Could one be defined as part of the IETF attribute certificate profile?
>
> What syntax should this take? A choice between UTF-8 and General Name would
> be the simplest.
So you mean you'd prefer something like:
SvceAuthInfo ::= SEQUENCE {
service FlatOrGeneralName,
ident FlatOrGeneralName,
authInfo OCTET STRING OPTIONAL
}
FlatOrGeneralName ::= CHOICE {
flat UTF8String,
gen GeneralName
}
I wouldn't have a problem with this, if you're sure you can't
use the rfc822 field (and I think I prefer the above to the use of
otherName that Andy suggested). Anyone else?
Regards,
Stephen.
--
____________________________________________________________
Stephen Farrell
Baltimore Technologies, tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane, fax: +353 1 647 7499
Dublin 2. mailto:stephen.farrell@baltimore.ie
Ireland http://www.baltimore.com