[keycloak-dev] Certificate subject DN is provider dependent

John Dennis jdennis at redhat.com
Tue Feb 12 17:17:51 EST 2019

On 2/12/19 4:26 PM, Pedro Igor Silva wrote:
> Sure, but note that RFC-4514 relies on 4519 (which actually defines the 
> supported attributed types).

I don't think RFC 4519 is what you're looking for, you want to be 
looking at the X509 Certificate RFC's.

Ugh, the RFC's for this stuff is a tangled mess of cross references to 
other RFC's. It's ugly and hard to decipher which is probably why these 
issues seem to keep cropping up.

> The main reason for pushing this question is that from a security 
> perspective, using a deprecated attribute type in subject dn is not 
> good. Privacy concerns may apply here too where you may not want people 
> to put the email (sensitive) in something that is supposed to be public.

I'm not sure that's the question. You don't have control over the certs 
that are presented to you. Rather your job is to ascertain if you can 
unequivocally map the cert subject to a principal in your domain. You 
probably can't put a stake in the ground and demand the subject contain 
certain RDN's (with the exception of the CN). And FWIW just to make 
things even more confusing a common convention for client certs is to 
put the users email address as the subject's CN.

I have a suggestion, I'm not the ultimate authority on this stuff. We 
have a developer on the Certificate Server team who I believe has an 
even more in depth understanding and is probably more current on this 
topic that I am (I did this work several years ago). He is Fraser 
Tweedale <ftweedal at redhat.com>, perhaps you might want to open a 
discussion with him. FWIW the Certificate Server is also written in Java 
and he might be able to share Java code snippets with you on the best 
way to perform these comparisons.

John Dennis

More information about the keycloak-dev mailing list