RE: Mapping Certs to local account names: is there a standard practice?

Thu, 11 Nov 1999 06:47:34 -0800 

> > I'm not looking for a magic bullet.  What I am looking for is a method
> > to package and distribute clients and servers that will work out of
> > the box.  
> 
> include simple CA with your server management software.

but I am providing just one daemon.  Not a suite of services. You
don't want a separate CA for each daemon that you run.

> > And the answer is, that if you want to do client auth with
> > PKI then you can't.  You need to modify the code to support whatever
> > local system is in use for certificate to ID mapping.  
> 
> authentication and authorization are different things. whatever
> authentication mechanism you use, you must still to the authorization
> (which is application specific) later.

Absolutely.  That is what I am attempting to do.  In my mind,
authentication is the identifying of who the user is.  It doesn't do
me any good to verify a certificate unless it is uniquely mapped to a
userid.  Once I have the userid then authentication is complete.

Then I can use the userid to determine if the user is authorized.  For
standard services such as FTP, Telnet, ... there are traditional
methods for checking authorization.  For others I may need to check an
LDAP server, or an authorization service, or perhaps look for an
attribute certificate (assuming I trust it).

The IETF TLS WG was discussing the modification of the TLS protocol to
support delegation and impersonation in yesterday's meeting.  From my
perspective this is fool hardy.  If we can't put in place a standard
method of authenticating a a user, what is the point of delegation and
impersonation? 

Anyway, thanks to everyone who answered my query on this list.  I
think I have received the answers which I require.  


    Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
                 The Kermit Project * Columbia University
              612 West 115th St #716 * New York, NY * 10025
  http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to