TLS: assigning certificates to username
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri May 6 05:08:18 CEST 2016
> On 5 May 2016, at 16:25, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>>
>> On 5 May 2016, at 16:09, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>>
>>
>>> On 5 May 2016, at 15:11, A.L.M.Buxey at lboro.ac.uk wrote:
>>>
>>> Hi,
>>>
>>>> So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.
>>>
>>> but if we are being pragmatic.. subjectAltName used for proxying decisions in EAP-TLS?
>>
>> No.
>>
>>> the commonname is used
>>
>> I'm not sure what your point is. Certificates aren't used in proxying decisions. They can't be. It's too late by the time you've received the certificate from the supplicant.
>
> My main reason for being less than enthusiastic about using CN for NAIs, is because in LDAP (also X509)
*X500.
Maybe idiot was too harsh. Just saying it's probably not a good thing to do :)
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160505/e92e363e/attachment.sig>
More information about the Freeradius-Users
mailing list