Currently, Pathfinder asks each of the applications calling it to send it a
policy OID. It would probably be better, from a central management point of
view, if there was an override in the configuration file. This override
would take a look at the application, and if an entry existed that was
different or more restrictive than what was sent, would apply the policy
entry in the config file.
And example would be:
[identity policy]
usage match = digitalSignature
ext usage match = smartCardLogin || clientAuth
default = 1.2.3.4.5.6
apache = 2.3.4.5.6
[signature policy]
usage match = digitalSignature
ext usage match = secureEmail
apache = 2.3.4.5.6
[encryption policy]
usage match = dataEncypherment
thunderbird = 4.5.6.7.8.9.0
The above would match the different sections with the keyUsage fields, and
if a match was found, would apply that policy either by default, or on an
application by application basis. This last might require an addition to
the method signature, as I'm not sure that the current signature passes on
an identifier from the client to the daemon.
Original issue reported on code.google.com by ppatt...@gmail.com on 31 Dec 2007 at 4:20
Original issue reported on code.google.com by
ppatt...@gmail.comon 31 Dec 2007 at 4:20