Hi, while working at the docs, I stumbled about the X509 based handlers.
We have two x509 based handlers, where both reuse the "certificate role" from the database for the authorization role. We already discussed that we do not want to continue with this feature, but we need to find another way to assign a role when using x509 authentication. The only way I see is a seperate database, that links a certificate (based on DN or serial number) to a role. That of course creates some overhead in managing. We can think about a kind of default, so any valid certificate becomes a "User" whereas we just mark users with operator roles, which will reduce the work but still requires a new frontend. An alternative would be to include the role directly into the certificate, but that again violates the pragma of seperating authentication and authorization. Any ideas on that? Oli -- Protect your environment - close windows and adopt a penguin! PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ OpenXPKI-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-devel
