[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL/EXTERNAL (TLS)
"Kurt D. Zeilenga" wrote:
>
> The authentication identity can be in any form.
The identity has to be unique?
> I rather the
> form be as "natural" as possible. That is, if the authentication
> identity is derived from an X.509 certificate, the identity
> should be "natural" (e.g. X.500) form.
I would not even speak of a X.500 form when using a cert DN since
most CAs issue certs without caring about directory structure at
all. E.g. look at my freemail cert DN issued by Thawte:
/S=Stroeder/G=Michael/CN=Michael Stroeder/Email=michael@stroeder.com
Just use the cert DN as unstructured but unique identifier
regardless of being meant as X.500 name in former days. Note: The
cert DN has only to be unique within the name-space of a CA. Two
different CAs can issue different certs with the same DN.
Ciao, Michael.