TLS: assigning certificates to username
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu May 5 22:25:16 CEST 2016
> On 5 May 2016, at 16:09, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On 5 May 2016, at 15:11, A.L.M.Buxey at lboro.ac.uk wrote:
>>
>> Hi,
>>
>>> So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.
>>
>> but if we are being pragmatic.. subjectAltName used for proxying decisions in EAP-TLS?
>
> No.
>
>> the commonname is used
>
> I'm not sure what your point is. Certificates aren't used in proxying decisions. They can't be. It's too late by the time you've received the certificate from the supplicant.
My main reason for being less than enthusiastic about using CN for NAIs, is because in LDAP (also X509) CN is usually the user's humanly readable name, so you're creating discordant representations of the user.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160505/26e6b8cc/attachment.sig>
More information about the Freeradius-Users
mailing list