New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce the x509-subject-issuer attribute #22

Open
andreaceccanti opened this Issue Apr 12, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@andreaceccanti
Copy link
Member

andreaceccanti commented Apr 12, 2017

The X509 PIPs that currently process X.509 certificate in incoming request set the subject-issuer attribute, which holds the subjects of the certificates in the chain, up to the trust anchor, that signed the EEC included in the authorization request.

We add another attribute, the x509-subject-issuer attribute, which holds the subject of the first certifcate that signed the EEC, to simplify the implementation work for #21 .

@msalle

This comment has been minimized.

Copy link
Member

msalle commented Apr 20, 2017

Just a small question, why not call it subject-x509-issuer ? (which is what it is called in the authz-interop profile, see 6.1.4 in the authz-interop profile) It has the same semantics.

@andreaceccanti

This comment has been minimized.

Copy link
Member Author

andreaceccanti commented Apr 27, 2017

Hi Mischa, I liked the idea of the X509 prefix in the attribute name, which is also used for the new X509-authn-profile attribute. I have no strong feelings about this anyway.

@msalle

This comment has been minimized.

Copy link
Member

msalle commented Apr 27, 2017

Hi,
I also have no very strong feelings about it, but thought that it might be good to reuse an existing name if it already has the same semantics?

@andreaceccanti

This comment has been minimized.

Copy link
Member Author

andreaceccanti commented Apr 27, 2017

Well, in theory yes, in practice we use a different XACML profile anyway.

@msalle

This comment has been minimized.

Copy link
Member

msalle commented Apr 27, 2017

Sure, that's also why I don't have a strong preference (-; On the other hand, we'll probably create also a shortened attribute for the PAP, where you cannot see the profile name. The other EMI/gLite attribute, which contains all issuers of all certs (incl. even proxy DNs), is called subject-issuer or emi-subject-issuer. As long as we make it clear that this is a different one, it should be ok. I'll leave it to you what to do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment