Re: [Libvir] [PATCH] Remote 3/8: Client-side
Hi Rich,
On Mon, 2007-05-14 at 14:04 +0100, Richard W.M. Jones wrote:
Mark McLoughlin wrote:
> 1) Validate the cert was issued by a trusted CA, deny if no
> 2) Ignore the IP address of client
> 3) First check whether the cert fingerprint is on the list of allowed
> client fingerprints, allow if yes
> 4) Otherwise check whether the contents of the SubjectName name field
> is on the list of allowed client SubjectNames, allow if yes, deny
> if no
>
> Postfix does (3), but not (4). Apache does (4), in a fairly fancy way,
> but not (3).
My reading of:
http://www.postfix.org/TLS_README.html#server_access
<quote>
The Postfix list manipulation routines give special treatment to
whitespace and some other characters, making the use of certificate
names impractical. Instead we use the certificate fingerprints as they
are difficult to fake but easy to use for lookup.
</quote>
... is that Postfix would do (4), but does (3) because of a shortcoming
in its configuration file format.
Ah, that explains it.
(I read "certificate name" to mean DN).
Just to be pedantic:
+ Subject Name : the field in X.509 certs which details the identity
of the holder of the associated private key
+ Distinguished Name : the X.500 format for describing identity which
should be used in the Subject Name field
+ Common Name : one of the possible fields in a Distinguished Name
We don't have that problem.
Nope, we don't. A list of allowed subject names would be fine for us. I
do like the option of a list of fingerprints too, but it's not that
important if we have the subject name list. And we could also have the
"allow all clients with valid certs" option.
Cheers,
Mark.