On Tue, Jul 15, 2008 at 7:57 AM, Oil Supply <[EMAIL PROTECTED]> wrote: >> If you are including a value in there that is meant to be read by a person, >> then yes. If you are including a value in there that is meant to be >> interpretted and acted upon by a Relying Party computer program, then no - >> but then, as I said in my previous message, if you include a private >> extension, the chances of either of these being possible with a >> non-proprietary client is approximately nil. If your certificates are only >> ever being used by a proprietary client in a closed community, then feel free >> to add Private Extensions. If not, then it would probably be better to find a >> way to express what you want to convey using one of the standard extensions. > > ah, now that clears things up. Thanks Patrick. > > I am toying with the efficacy to use certificate attributes to make > application decisions (access control, look and feel, etc), so yes, a > private, closed system.
There's actually a type of certificate out there that is called an "Attribute Certificate" that can provide access-control rights. You might want to look into this -- generally, the CA would in this case be the authenticator (either Active Directory, or Kerberos, or something that provides centralized user authentication) which issues certificates with relatively-short times, revoked whenever the user logs out or otherwise changes some security attribute (such as group membership). > My idea, not a new one by any means, is to separate user provisioning > from application logic. I want to have an authoritative source of the > user and their role, and based on that, the application does something > special. I know there are probably easier ways to do this like assign > a user a role in the app, but I may want to have the user access > multiple apps and using a certificate seems like a good option. I will > certainly use the standard options where I can. I am reading through > the IETF PKIX docs even as we speak. I should mention that Lotus Domino has been doing this for nearly 20 years. If it had a lower cost-of-entry (currently it's around $35,000 for a single server, plus licenses to run Notes clients, plus client licenses for Notes clients to access the Domino server) I'd recommend it as a potentially-viable approach. Alas, it's not. -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
