OpenVPN should support X509 Certificate Policies in order to compartmentalize a Root CA.
Currently, the only way for a single organisation to control which OpenVPN installation a user can connect to is to use separate CAs (assuming that user has an account on both systems).
If an organisation has a registered IANA OID such as 220.127.116.11.4.1.32473 (Example OID), they could distribute sub-trees to various OpenVPN installations within their organisation. Each would run their own subordinate CA (using a common Root CA) but only issue certificates which contain a Certificate Policy OID allocated to them. The server could then (with an appropriate option) check that the client certificate supplied has the allocated Policy OID embedded.
For example 18.104.22.168.4.1.32473.1 (note the .1 suffix) could be allocated to a dept A's OpenVPN server and subordinate CA, while 22.214.171.124.4.1.32473.2 (note the .2 suffix) could be allocated to dept B's OpenVPN server and CA. A user with a certificate issued by dept A's subordinate CA would therefore not be able to log in to dept B's OpenVPN installation and vice versa.
I believe OpenSSL has the ability to check policy trees therefore this shouldn't be too difficult to implement (says the non-programmer!).
This is where we can discuss what we would like to see added or changed in OpenVPN.
1 post • Page 1 of 1