On Sun, May 09, 2010 at 07:37:50PM +0200, Andras Korn wrote:
> VERIFY ERROR: could not extract Common Name from X509 subject string
> ('/UID=someuser/OU=People/DC=somedomain/DC=tld') -- note that the Common Name
> length is limited to 64 characters
This was a mistake; the DN in an X.509 certificate is read from left to
right, not right to left (but this is irrelevant as far as the original
wishlist report is concerned).
However, it just occurred to me that it may make sense to force the username
(in username+password authentication) to be either the uid/cn from the
certificate subject, or the entire DN. This would strengthen double
authentication in that it wouldn't be sufficient to know _a_
username/password pair and obtain _a_ valid certificate; it'd be necessary
for the client to know the current password of the exact user whose
certificate it is using to connect.
I suppose external verify scripts can already be used to do this though.
--
Andras Korn <korn at elan.rulez.org> - <http://chardonnay.math.bme.hu/~korn/>
I couldn't repair your brakes, so I made your horn louder.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
