#9 Verify X.509 subject/user against factor

[Christian Elsen]

Today if using X.509 authentication the subject DN / extracted username is not verified through a factor. Instead cosign relies on the web server to perform this verification. Usually this is solely based on the certificate chain.

It would be benefitial if the subject DN or better extracted username could be verified through a factor. This way a factor could be used to verify if the user for which the certificate was issued really exists in a directory (e.g. LDAP / AD) and if the account is locked.