0010531: Clarify CA chain certificate handling for user certificates in IdentityCriteriaTypes Thumbprint and X509Subject

ID	Project	Category	View Status	Date Submitted	Last Update

0010531	10000-018: Role-Based Security	Spec	public	2025-09-22 09:58	2025-09-23 10:30

Reporter	Matthias Damm	Assigned To	Matthias Damm
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.05.06 RC1
Fixed in Version	1.05.06

Summary	0010531: Clarify CA chain certificate handling for user certificates in IdentityCriteriaTypes Thumbprint and X509Subject
Description	The X509Subject includes CA certificates in the "Table 10 – IdentityCriteriaType Values" but limits to user certificate in the long description in 4.4.3 IdentityMappingRuleType I addition it requires custom crypto / PKI code to support this for Thumbprint and for more than one hop on X509Subject. X509Subject works fine for one hop since the subject of the issuing CA is part of the user certificate. Agreed in Meeting on July 15 to use one hop for X509Subject and remove from Thumbprint.
Tags	No tags attached.

Commit Version
Fix Due Date

Matthias Damm 2025-09-22 11:14 developer ~0023314	X509Subject: Description in 4.4.3 IdentityMappingRuleType Replaced If the criteriaType is X509Subject, the criteria is the X509 subject name of a Certificate of a user which is trusted by the Server. With If the criteriaType is X509Subject, the criteria is the X509 subject name of a Certificate of a user which is trusted by the Server or the X509 subject name of a direct issuing CA Certificate of the user Certificate. Table 10 – IdentityCriteriaType Values Replaced The rule specifies the X509 subject name of a user or CA Certificate. With The rule specifies the X509 subject name of a user Certificate or the direct issuing CA Certificate of the user Certificate. Thumbprint: Description in 4.4.3 IdentityMappingRuleType Replace If the criteriaType is Thumbprint, the criteria is a thumbprint of an immediate user Certificate or an issuer Certificate in its chain which is trusted by the Server. With If the criteriaType is Thumbprint, the criteria is a thumbprint of a user Certificate. Table 10 – IdentityCriteriaType Values Removed "or CA" from description

Jim Luth 2025-09-23 10:30 administrator ~0023333	Agreed to changes in F2F.

Date Modified	Username	Field	Change
2025-09-22 09:58	Matthias Damm	New Issue
2025-09-22 09:58	Matthias Damm	Status	new => assigned
2025-09-22 09:58	Matthias Damm	Assigned To	=> Matthias Damm
2025-09-22 11:14	Matthias Damm	Status	assigned => resolved
2025-09-22 11:14	Matthias Damm	Resolution	open => fixed
2025-09-22 11:14	Matthias Damm	Fixed in Version	=> 1.05.06
2025-09-22 11:14	Matthias Damm	Note Added: 0023314
2025-09-23 10:30	Jim Luth	Status	resolved => closed
2025-09-23 10:30	Jim Luth	Note Added: 0023333