tyler.durden
/
PyKMIP
mirror of https://github.com/OpenKMIP/PyKMIP.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding RFC 5280 link

Peter Hamilton 2017-09-11 14:57:43 -04:00
parent 5b4a0fe960
commit 7bbdceb154
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
FAQ.md

@ -45,7 +45,7 @@ The KMIP specification supports a wide variety of symmetric and asymmetric key a
Client authentication for the PyKMIP server is currently enforced by the validation of the client certificate used to establish the client/server TLS connection. If the client connects to the server with a certificate that has been signed by a certificate authority recognized by the server, the connection is allowed. If the server cannot validate the client's certificate, the connection is blocked and the client cannot access any objects stored on the server.
If client authentication succeeds, the identity of the client is obtained from the client's certificate. The client's certificate must have the extended key usage extension (see RFC 5280) marked for client authentication. This indicates that the certificate can be used to derive client identity. If the extension is present and marked correctly, the server will extract the common name from the certificate's subject distinguished name and use the common name as the identity of the client. If the extension is not present or is marked incorrectly, the server will not be able to derive the client's identity and will close the connection.
If client authentication succeeds, the identity of the client is obtained from the client's certificate. The client's certificate must have the extended key usage extension (see [RFC 5280](https://www.ietf.org/rfc/rfc5280.txt)) marked for client authentication. This indicates that the certificate can be used to derive client identity. If the extension is present and marked correctly, the server will extract the common name from the certificate's subject distinguished name and use the common name as the identity of the client. If the extension is not present or is marked incorrectly, the server will not be able to derive the client's identity and will close the connection.
Once the client's identity is obtained, the client's request is processed as normal. The owner of any objects created by the client will be set to the client's identity (i.e., the common name). This common name is used in conjunction with KMIP operation policies to enforce object access control (see the next question for more information).