[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] [PATCH] Remote 3/8: Client-side

Hi Rich,

On Mon, 2007-05-14 at 14:04 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:

> >   1) Validate the cert was issued by a trusted CA, deny if no
> >   2) Ignore the IP address of client
> >   3) First check whether the cert fingerprint is on the list of allowed 
> >      client fingerprints, allow if yes
> >   4) Otherwise check whether the contents of the SubjectName name field 
> >      is on the list of allowed client SubjectNames, allow if yes, deny 
> >      if no
> > 
> > 	Postfix does (3), but not (4). Apache does (4), in a fairly fancy way,
> > but not (3).
> My reading of:
> http://www.postfix.org/TLS_README.html#server_access
> <quote>
> The Postfix list manipulation routines give special treatment to 
> whitespace and some other characters, making the use of certificate 
> names impractical. Instead we use the certificate fingerprints as they 
> are difficult to fake but easy to use for lookup.
> </quote>
> ... is that Postfix would do (4), but does (3) because of a shortcoming 
> in its configuration file format.

	Ah, that explains it.

>   (I read "certificate name" to mean DN).

	Just to be pedantic:

  + Subject Name : the field in X.509 certs which details the identity 
    of the holder of the associated private key

  + Distinguished Name : the X.500 format for describing identity which 
    should be used in the Subject Name field

  + Common Name : one of the possible fields in a Distinguished Name

>   We don't have that problem.

	Nope, we don't. A list of allowed subject names would be fine for us. I
do like the option of a list of fingerprints too, but it's not that
important if we have the subject name list. And we could also have the
"allow all clients with valid certs" option.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]