On Sun, May 09, 2010 at 07:37:50PM +0200, Andras Korn wrote: > VERIFY ERROR: could not extract Common Name from X509 subject string > ('/UID=someuser/OU=People/DC=somedomain/DC=tld') -- note that the Common Name > length is limited to 64 characters
This was a mistake; the DN in an X.509 certificate is read from left to right, not right to left (but this is irrelevant as far as the original wishlist report is concerned). However, it just occurred to me that it may make sense to force the username (in username+password authentication) to be either the uid/cn from the certificate subject, or the entire DN. This would strengthen double authentication in that it wouldn't be sufficient to know _a_ username/password pair and obtain _a_ valid certificate; it'd be necessary for the client to know the current password of the exact user whose certificate it is using to connect. I suppose external verify scripts can already be used to do this though. -- Andras Korn <korn at elan.rulez.org> - <http://chardonnay.math.bme.hu/~korn/> I couldn't repair your brakes, so I made your horn louder. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org