[Cryptography Team] Re: SSL Certificate Validation

Robert Withers reefedjib at yahoo.com
Sat Jan 27 18:58:57 UTC 2007 

Thanks for the clarifications, Tim.  It makes much sense, now.

Robert

On Jan 26, 2007, at 4:50 PM, Cerebus wrote:

> On 1/25/07, Rob Withers <reefedjib at yahoo.com> wrote:
>
>> I am not currently parsing the certificate extensions, and  
>> discussion of the
>> commonName vs the subjectAltName has always confused me.  This  
>> would be
>> something that could be worked on with X509.
>
> Back when X.500 defined distinguished names, there wasn't a lot of
> thought about non-people being named in this way.  X.509 adopted the
> X.500 naming scheme, but applied to people, services, devices, etc.
> Various kludges were added to DN to accommodate different protocol
> naming needs.
>
> Eventually a light dawned and the subjectAltName extension was
> defined.  The protocol specific names go in there (predefined types
> like rfc822Name, iPaddress, dNSName, etc.), leaving the subject DN for
> a human-readable names.
>
> Also, subject DN is allowed to be empty, in which case the names
> *have* to be in subjectAltName.  :)
>
>> I don't understand what you mean when you say "it's bad practice  
>> to put
>> authorization data into an
>> authentication instrument like a certificate".
>
> Mostly that was aimed at Ron but I was at the airport posting from my
> N800 so I was being lazy.
>
>> I would think that once a
>> certificate is authenticated, then it's identity (commonName or
>> subjectAltName) could be used for authorization.  At least the SSL  
>> spec
>> speaks about it working this way.
>
> Correct.  However, the authZ decision should be made local to the
> service, *not* by the certificate issuer.  IOW, the certificate or
> public key is your index into a local authorization database, and it's
> the information in that database that determines the cert holder's
> access rights.
>
> -- Tim
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

More information about the Cryptography mailing list