[Libvir] [PATCH] Remote 3/8: Client-side
Mark McLoughlin
markmc at redhat.com
Mon May 14 08:38:15 UTC 2007
On Mon, 2007-05-14 at 09:27 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:
> > * Also, Postfix allows you to trust all clients with certs from
> > trusted CAs:
> >
> > http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
> >
> > It seems like an odd configuration option to me. You'd probably
> > only use this with a single trusted CA which you have direct
> > control over.
>
> This is actually a common and useful configuration.
>
> You set up your own CA and point the server's CACERT to your own CA's
> certificate (and no other CA). Then only the clients for which you
> issue certificates can connect, and this is controlled by distribution
> of the private keys, not by explicit access control lists. If a private
> key file goes AWOL then you can revoke it.
Yes.
> Note that libvirtd _doesn't_ quite support this sort of access because
> it doesn't support wildcards in the commonNames in the client
> certificates, but that would be a useful and simple addition.
I don't grok this ... why would you want a wildcard in the subjectName
of a client certificate?
Or do you mean allowing wildcards in the access control list of client
subjectNames?
Cheers,
Mark.
More information about the libvir-list
mailing list