[Libvir] [PATCH] Remote 3/8: Client-side

Mark McLoughlin markmc at redhat.com
Mon May 14 13:16:34 UTC 2007

Hi Rich,

On Mon, 2007-05-14 at 14:04 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:

> >   1) Validate the cert was issued by a trusted CA, deny if no
> >   2) Ignore the IP address of client
> >   3) First check whether the cert fingerprint is on the list of allowed 
> >      client fingerprints, allow if yes
> >   4) Otherwise check whether the contents of the SubjectName name field 
> >      is on the list of allowed client SubjectNames, allow if yes, deny 
> >      if no
> > 
> > 	Postfix does (3), but not (4). Apache does (4), in a fairly fancy way,
> > but not (3).
> My reading of:
> http://www.postfix.org/TLS_README.html#server_access
> <quote>
> The Postfix list manipulation routines give special treatment to 
> whitespace and some other characters, making the use of certificate 
> names impractical. Instead we use the certificate fingerprints as they 
> are difficult to fake but easy to use for lookup.
> </quote>
> ... is that Postfix would do (4), but does (3) because of a shortcoming 
> in its configuration file format.

	Ah, that explains it.

>   (I read "certificate name" to mean DN).

	Just to be pedantic:

  + Subject Name : the field in X.509 certs which details the identity 
    of the holder of the associated private key

  + Distinguished Name : the X.500 format for describing identity which 
    should be used in the Subject Name field

  + Common Name : one of the possible fields in a Distinguished Name

>   We don't have that problem.

	Nope, we don't. A list of allowed subject names would be fine for us. I
do like the option of a list of fingerprints too, but it's not that
important if we have the subject name list. And we could also have the
"allow all clients with valid certs" option.


More information about the libvir-list mailing list