<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 1/9/2019 6:54 PM, Corey Minyard
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:b41f31a9-3a24-4a18-3b2c-a2a708eb4086@acm.org">2. Set the
userid in the certificate and use client authentication to
<br>
authenticate the user logging in. Set the username in the CN
field
<br>
of the certificate so it can't be changed, extract that and set
the
<br>
CA before verification. This is what I'm currently trying to
do,
<br>
and I keep running into roadblocks.
<br>
</blockquote>
<br>
<p>Why do you think you need to set the CA?</p>
<p>It seems like you should let OpenSSL verify the certificate
against your list of trusted CAs, and if it succeeds then you know
that one of those CAs vouches for this user's identity. Then you
look at their subject name to derive the user ID (probably from
its CN). If you want to be really paranoid - if you believe that
Verisign can vouch for John and Comodo can vouch for Sam, but not
vice versa, factor the issuer name into the process.<br>
</p>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</body>
</html>