Thanks Kyle. I am going to look at this and Patrick's suggestions for SAML and WS-Fed. They seem to be viable options.
On Tue, Jul 15, 2008 at 2:22 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > On Tue, Jul 15, 2008 at 7:57 AM, Oil Supply <[EMAIL PROTECTED]> wrote: >>> If you are including a value in there that is meant to be read by a person, >>> then yes. If you are including a value in there that is meant to be >>> interpretted and acted upon by a Relying Party computer program, then no - >>> but then, as I said in my previous message, if you include a private >>> extension, the chances of either of these being possible with a >>> non-proprietary client is approximately nil. If your certificates are only >>> ever being used by a proprietary client in a closed community, then feel >>> free >>> to add Private Extensions. If not, then it would probably be better to find >>> a >>> way to express what you want to convey using one of the standard extensions. >> >> ah, now that clears things up. Thanks Patrick. >> >> I am toying with the efficacy to use certificate attributes to make >> application decisions (access control, look and feel, etc), so yes, a >> private, closed system. > > There's actually a type of certificate out there that is called an > "Attribute Certificate" that can provide access-control rights. You > might want to look into this -- generally, the CA would in this case > be the authenticator (either Active Directory, or Kerberos, or > something that provides centralized user authentication) which issues > certificates with relatively-short times, revoked whenever the user > logs out or otherwise changes some security attribute (such as group > membership). > >> My idea, not a new one by any means, is to separate user provisioning >> from application logic. I want to have an authoritative source of the >> user and their role, and based on that, the application does something >> special. I know there are probably easier ways to do this like assign >> a user a role in the app, but I may want to have the user access >> multiple apps and using a certificate seems like a good option. I will >> certainly use the standard options where I can. I am reading through >> the IETF PKIX docs even as we speak. > > I should mention that Lotus Domino has been doing this for nearly 20 > years. If it had a lower cost-of-entry (currently it's around $35,000 > for a single server, plus licenses to run Notes clients, plus client > licenses for Notes clients to access the Domino server) I'd recommend > it as a potentially-viable approach. > > Alas, it's not. > > -Kyle H > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
