Erwann Abalea wrote:
On Wed, 6 Oct 2004, Jesse I Pollard - CONTRACTOR wrote:
On Wed, 6 Oct 2004, jmt wrote:
From: Jesse I Pollard - CONTRACTOR
Yes... this is the most delicate problem. I assume that you are
aware about how Mario Strasser's module checks the name. In your
opinion, what would be the best way to get the user name from the
card?
You can't.
Not really.
User names vary - on one system it might be based on the last name.
On another, the last name + first initial. And then what about the
case of multiple John Smith, or June Smith, Joe Smith, and
Josephine Smith?
Or it might be totally unrelated. I've seen user names like U77745
just because that was the policy at that site.
Even on the same system you may have multiple logins (I have two -
used for totally different purposes).
The only unique thing I've been told is an identification number at
the end of the CN string. It starts with a period, and is 10 digits
long. Maybe using that for a lookup of a list of valid login names
would be reasonable. Of course, the list of valid logins is NOT on
the card. And to get the identification number, you must have the
user supply the PIN.
My advice would be to do like others do: use an X.509 certificate,
and either: * do the Microsoft Way (tm) (see Q281245): add a
subjectAltName extension as otherName type, add an AVA with OID
1.3.6.1.4.1.311.20.2.3 (the 1.3.6.1.4.1.311 branch is owned by
Microsoft), encode the username (login name) as an UTF8 string, and
add the Smart Card Logon OID (1.3.6.1.4.1.311.20.2.2) in the
extendedKeyUsage extension, * do the LDAP way: in the subjectName of
the certificate, add an uniqueIdentifier (OID 2.5.4.45 - ISO X.500
branch), encode the login name as a DER IA5STRING, encode this DER
string as a BITSTRING, and place it as the value of the previous AVA,
* do your way: reserve an OID in the 1.3.6.1.4.1 (I have one, it's
free), add your own OID for this usage, and either use it as a new
AVA in the subjectName or subjectAltName or another totally new
extension.
This gets interesting, because it is moving towards ideas that a group
of us in the UK are putting forward (based on e-Europe Smart Cards work
at www.eeurope-smartcards.org: the OSCIE Vol 3 modelling exercise for
ID, authentication and signature using smart cards). The proposals use
X.509 certificates for ID (single assured identity), with attribute
certificates for add-on information such as alternative names, place of
residence, driving licence... a major aim is to allow common
infrastructure to handle many types of secure token. Handling login ID
and password is a downstream task once the core architecture is agreed.
How far this work will go is not yet known.
(Erwann: which country are you in?)
Peter
_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.drizzle.com/mailman/listinfo/muscle
