Bugzilla – Bug 4889
Issued DN should be able to handle mix of ePPN, displayName and ePTID
Last modified: 2009-04-19 08:13:38
You need to
before you can comment on or make changes to this bug.
The GridShib-CA should be able to generate a DN given any of the following sets
(1) Send ePPN only.
(2) Send ePPN and displayName.
(3) Send ePTID and displayName.
It handles #1 today by putting ePPN in as the CN.
I believe #2 should be handled by concatenating ePPN and displayName
I'm not sure about #3.
It would also be really nice if this was configurable via gridshib-ca.conf -
need to think about how to do that. If nothing else, encapsulate the logic into
its own perl module.
I don't see the point of putting the displayName in the DN. As with the IdP
entityID (Bug 4888), the displayName can be bound to X.509 or SAML. SAML is
preferred for binding independence, but if X.509 must be used, the Subject Alt
Name extension seems to make more sense (think proxy certificates).
I don't understand the advantage of ePTID over ePPN for this use case, but
remember that ePTID is explicitly scoped to a single SP, which may limit its
utility outside the GridShib CA. Indeed, federation policy may discourage or
forbid the sharing of this attribute beyond the target SP (i.e., the GridShib
How will the DN of the EEC be used by the relying party?
>I don't understand the advantage of ePTID over ePPN for this use case,
As discussed in the Sausage BOF, ePPN is not protected against re-assignment.
> Indeed, federation policy may discourage or
>forbid the sharing of this attribute beyond the target SP (i.e., the GridShib
If this is actually true, a citation would be useful.
>How will the DN of the EEC be used by the relying party?
The DN is a globally unique, non-reassigned identifier of the user. How the RP
chooses to use it is up to the RP.
Removed dependency on 4888 since it's no longer something we're going to do.
0.4.0 release allows for configuration of DN based on IdP.
Not clear to me what happened to displayName here, but it hasn't come up since
so going ahead and marking as CLOSED.