zeroXten
commented
9 years ago Awesome, thanks for the suggestion :)
Open MarkPfennig opened 9 years ago
zeroXten
commented
9 years ago Awesome, thanks for the suggestion :)
zeroXten
commented
9 years ago I've had a thought about this, would the following work?
Standalone certificates are created directly by an admin and are then signed by a CA. Because the admin is trusted, it would make sense to allow them to set whatever they want for the SANs. Maybe the cert creation could have a switch like --san which is given a comma separated list of domains.
For certs created by nodes, we don't want the nodes being able to control what SANs are used. In the same way we scope the cert DNs at the CA level, we could specify SANs at the CA. We could use a whitelist of domains and we could support a list of SANs that are set for all certs signed by that CA.
For example, creating or editing a CA with --san-required 'www.mydomain.com' and *--san-optional '.us.mydomain.com'** would force all certs to have a SAN of 'www.mydomain.com' and optionally something below 'us.mydomain.com'.
WebID Protocol has existed for a number of years, it enables decentralized web friendly client authentication. Users authenticate over HTTP+TLS by presenting a certificate with a subjectAltName (SAN) containing a URI Identifier (a WebID) which can be used as a name for the person, for example
http://www.w3.org/People/Berners-Lee/card#iis Sir Tim Berners-Lee's WebID.subjectAltName is reasonably hard to configure with openssl tooling, requiring the SAN to be specified in the openssl.cnf file (re configure for every certificate created!)
Please, please, support certificate extensions easily, especially subjectAltName.
Thank you.