Support for Certificate Policies
Posted: Fri Aug 04, 2017 9:29 pm
OpenVPN should support X509 Certificate Policies in order to compartmentalize a Root CA.
Currently, the only way for a single organisation to control which OpenVPN installation a user can connect to is to use separate CAs (assuming that user has an account on both systems).
If an organisation has a registered IANA OID such as 1.3.6.1.4.1.32473 (Example OID), they could distribute sub-trees to various OpenVPN installations within their organisation. Each would run their own subordinate CA (using a common Root CA) but only issue certificates which contain a Certificate Policy OID allocated to them. The server could then (with an appropriate option) check that the client certificate supplied has the allocated Policy OID embedded.
For example 1.3.6.1.4.1.32473.1 (note the .1 suffix) could be allocated to a dept A's OpenVPN server and subordinate CA, while 1.3.6.1.4.1.32473.2 (note the .2 suffix) could be allocated to dept B's OpenVPN server and CA. A user with a certificate issued by dept A's subordinate CA would therefore not be able to log in to dept B's OpenVPN installation and vice versa.
I believe OpenSSL has the ability to check policy trees therefore this shouldn't be too difficult to implement (says the non-programmer!).
Currently, the only way for a single organisation to control which OpenVPN installation a user can connect to is to use separate CAs (assuming that user has an account on both systems).
If an organisation has a registered IANA OID such as 1.3.6.1.4.1.32473 (Example OID), they could distribute sub-trees to various OpenVPN installations within their organisation. Each would run their own subordinate CA (using a common Root CA) but only issue certificates which contain a Certificate Policy OID allocated to them. The server could then (with an appropriate option) check that the client certificate supplied has the allocated Policy OID embedded.
For example 1.3.6.1.4.1.32473.1 (note the .1 suffix) could be allocated to a dept A's OpenVPN server and subordinate CA, while 1.3.6.1.4.1.32473.2 (note the .2 suffix) could be allocated to dept B's OpenVPN server and CA. A user with a certificate issued by dept A's subordinate CA would therefore not be able to log in to dept B's OpenVPN installation and vice versa.
I believe OpenSSL has the ability to check policy trees therefore this shouldn't be too difficult to implement (says the non-programmer!).