[keycloak-dev] Certificate subject DN is provider dependent
jdennis at redhat.com
Tue Feb 12 17:17:51 EST 2019
On 2/12/19 4:26 PM, Pedro Igor Silva wrote:
> Sure, but note that RFC-4514 relies on 4519 (which actually defines the
> supported attributed types).
I don't think RFC 4519 is what you're looking for, you want to be
looking at the X509 Certificate RFC's.
Ugh, the RFC's for this stuff is a tangled mess of cross references to
other RFC's. It's ugly and hard to decipher which is probably why these
issues seem to keep cropping up.
> The main reason for pushing this question is that from a security
> perspective, using a deprecated attribute type in subject dn is not
> good. Privacy concerns may apply here too where you may not want people
> to put the email (sensitive) in something that is supposed to be public.
I'm not sure that's the question. You don't have control over the certs
that are presented to you. Rather your job is to ascertain if you can
unequivocally map the cert subject to a principal in your domain. You
probably can't put a stake in the ground and demand the subject contain
certain RDN's (with the exception of the CN). And FWIW just to make
things even more confusing a common convention for client certs is to
put the users email address as the subject's CN.
I have a suggestion, I'm not the ultimate authority on this stuff. We
have a developer on the Certificate Server team who I believe has an
even more in depth understanding and is probably more current on this
topic that I am (I did this work several years ago). He is Fraser
Tweedale <ftweedal at redhat.com>, perhaps you might want to open a
discussion with him. FWIW the Certificate Server is also written in Java
and he might be able to share Java code snippets with you on the best
way to perform these comparisons.
More information about the keycloak-dev