On Thu, Nov 26, 1998, S.T. Wong wrote:
> > The Subject of a certificate is the _owner_ of the certificate, i.e. in
> > context of an SSL webserver the DN which described the server. The DN here is
> > usually something like
>
> I see, but will someone check the subject (manually?) for the identity of the
> owner through LDAP ?
Checked? Hmmm... no, usually one would use LDAP to just lookup the
certificates of the issuing CAs in the directory for the verification process.
> I just wonder if there will be problem when the
> "identify" of an object found in LDAP and a certificate is different. I
> always get confused when talking about the "identity" of an object. Maybe it's
> a bit off topic : Can I identify someone globally and uniquely ?
No, the Subject-DN is not unique globally. It is most of the time unique per
CA, but actually there is no need for this. Actually a CA can issue more than
one certificate to the same Subject-DN. That's why in X.509v3 some extensions
exists (one of them can be used for unique ids). AFAIK the only really unique
thing in a X.509 certificate is the pair <serial number, CA DN>. That's why
this pair is used for Certificate Revocation Lists (CRL).
> > /C=XY /ST=Snake Desert /L=Snake Town
> > /O=Snake Oil, Ltd /OU=Webserver Team /CN=www.snakeoil.dom
>[...]
> > Sure. Apache+mod_ssl doesn't query your LDAP database...
>
> In fact, we're in the process of set up LDAP and CA locally. However, there's
> long discussion here about the DN definition. Someone proposed the "dc" model
> - to have DN: uid=<unique id>, dc=cuhk, dc=edu, dc=hk, according to rfc2247,
> while someone suggested using the DN in a certificate (like those generated
> by SSLeay). Currently our applications will check the RDN's in an entry, e.g.
> mail, while some applications (like Communicator) only checks certain attributes
> (e.g. mail) when talking to LDAP instead of using the DN.
> Although there's no immediate need for extracting information from certificate,
> it'll be a nightmare to change the DN after production. :(
Yes, but isn't there a mapping mechanism in LDAP to overcome those things? Can
the LDAP filter funtions be used for this? Hmmm... my current LDAP knowledge
is too less here, sorry.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
