> > The simplest way to do verification is to allow the application to
> > provide a set of root certs that it would like to verify against, and
> > use the built-in OpenSSL verification procedure.
>
> That's good. I don't recall whether you planned for this, however,
> it would then be necessary to find out who the authenticated user
> is, to do authorization. Getting that as a pair (client dn, issuer dn)
> is the interface that springs to mind first.
Yes, that's right. If the cert verifies, its details are then
available, as a mapping, something like this:
{'notBefore': 'Sep 29 16:38:04 2006 GMT',
'notAfter': 'Dec 7 16:38:04 2008 GMT',
'issuer':
{'organizationalUnitName': u'UpLib',
'organizationName': u'PARC',
'commonName': u'wolfe-64.parc.xerox.com',
'stateOrProvinceName': u'California',
'countryName': u'US',
'localityName': u'Palo Alto'},
'version': 2,
'subject':
{'organizationalUnitName': u'UpLib',
'organizationName': u'PARC',
'commonName': u'wolfe-64.parc.xerox.com',
'stateOrProvinceName': u'California',
'countryName': u'US',
'localityName': u'Palo Alto'}
}
This is a self-signed cert, and it's still an open question whether
they should verify, and under what circumstances. I'm currently
thinking that in the CERT_OPTIONAL regime, they could, but with
CERT_REQUIRED, they shouldn't.
Bill
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
