Logon script that sets friendly name about ficam-playbooks HOT 8 CLOSED

@ryancdickson is this similar to the script to import certs for altsecids?

from ficam-playbooks.

@idmken - Not quite.

I think the goal described in this issue would automatically assign a friendly name to a user's PIV credential certificates upon logging onto the intended system.

Populating the "Friendly Name" attribute can make it easier for end-users to distinguish certificates (i.e., authentication versus signature). Not all products support use of "Friendly Name" --- looking quickly, it seems as if IE does, but Chrome does not.

Sample screenshots of manually setting "friendly name" --- and IE presenting it are attached.

from ficam-playbooks.

potentially test with Edge to see if friendly name is still applicable, if not close.

from ficam-playbooks.

Edge presents friendly name, observed in the following image:

from ficam-playbooks.

We believe this issue to be OBE due to the following reasons:

1. the Common (and soon to be bridge) profile updates which disallowed any key usage in EKU has been in effect for almost 3 years
2. recent updates to the profiles have incorporated specific EKUs for the signing cert which would prevent them from being presented in a credential tile screen upon mutual TLS auth
3. Several PIV issuers already append the CN with (A, E, S) for its specific use

from ficam-playbooks.

Some notes:

• 2: Unless the issuer asserts TLS Client EKU in signature cert.

• 3: Only one issuer (HHS) appends -A, -E, -S

from ficam-playbooks.

we also know that modifying the friendly name will not affect the experience for chrome users (assumedly 90% of the user base), and we have no known cert examples of user signature certs with SC auth or TLS client auth in the EKU currently.

from ficam-playbooks.

Closing issue per previous discussions and lack of impact.

from ficam-playbooks.