Re: [opensc-devel] [OpenSC] #240: Allow pattern matching in pam_pkcs11

Wed, 23 Jun 2010 12:18:57 -0700 

The serialNumber is the equivalent of UUID for a person and does not
change.

A person can have several SuisseID's issued to the him/her containing
different email addresses and possibly associations to one/more
different companies, issued by different CA's (even concurrently!).

As long as it's the same individual the serialNumber remains the same.

Also: There already is a second certificate (certificate #5) on the
token (only used for qualified signatures right now) that shows the
deal:

- Subject:   /CN=Wolf Geldmacher (Qualified
Signature)/emailaddress=no...@womaro-nospam.ch/serialNumber=1300-0010-7568-6942
- Issuer:    /C=CH/O=SwissSign AG/CN=SwissSign Qualified Platinum CA
2010 - G2
- Algorithm: rsaEncryption

-> Different CA, Different CN, same serialNumber

Of course I could list (and maintain) each possibility on each machine,
but it's way simpler to be able to say "Accept this individual -
regardless of email/company/CA" and map him/her to a given local user
(and maybe later to say something like "Acceppt this individual, but
only in his role as worker for this company" or "Accept this individual,
but only if he holds an email account for my domain")

Am Mittwoch, den 23.06.2010, 18:25 +0000 schrieb OpenSC:
> #240: Allow pattern matching in pam_pkcs11
> -------------------------+--------------------------------------------------
>  Reporter:  wjg          |       Owner:  opensc-de...@…               
>      Type:  enhancement  |      Status:  new                          
>  Priority:  normal       |   Milestone:  0.12.0                       
> Component:  pam_pkcs11   |     Version:  0.11.13                      
>  Severity:  normal       |    Keywords:  pam_pkcs11 pattern matching  
> -------------------------+--------------------------------------------------
> 
> Comment(by ludovic):
> 
>  What is the problem with using:
>  {{{
>  /CN=Wolf Geldmacher (Authentication)/emailaddress=no...@womaro-
>  nospam.ch/serialNumber=1300-0010-7568-6942 -> notme
>  }}}
> 
>  What is expected to change?
> 

-- 
Just when you discovered the meaning of life IT changed.

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to