Re: [Libvir] [PATCH] Remote 3/8: Client-side

Mark McLoughlin wrote: At the moment: The server reliably knows only the IP address of the client. It is given a certificate by the client, which it checks for validity against the CA. It also checks the subjectAltName.iPAddress or commonName field is the IP address (just using strcmp). It may also check that the client's IP address is on a whitelist contained in the server configuration file, although by default this check is switched off. So you can set up a CA and issue certificates to your clients to control access, but the certificates must contain the right IP address for the client (the client cannot be mobile in other words). This weekend I was coincidentally looking at how client certification works in browsers, and there authentication is based on all fields in the Distinguished Name. So you can use any CA, and an access control list of clients held on the server. See for example: http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular I'm not sure what is better and I don't plan on implementing this right away. I think we need to talk to some real world users. Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903