On Mon, 2007-05-14 at 09:27 +0100, Richard W.M. Jones wrote:
Mark McLoughlin wrote:
> * Also, Postfix allows you to trust all clients with certs from
> trusted CAs:
>
>
http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
>
> It seems like an odd configuration option to me. You'd probably
> only use this with a single trusted CA which you have direct
> control over.
This is actually a common and useful configuration.
You set up your own CA and point the server's CACERT to your own CA's
certificate (and no other CA). Then only the clients for which you
issue certificates can connect, and this is controlled by distribution
of the private keys, not by explicit access control lists. If a private
key file goes AWOL then you can revoke it.
Yes.
Note that libvirtd _doesn't_ quite support this sort of access
because
it doesn't support wildcards in the commonNames in the client
certificates, but that would be a useful and simple addition.
I don't grok this ... why would you want a wildcard in the subjectName
of a client certificate?
Or do you mean allowing wildcards in the access control list of client
subjectNames?
Cheers,
Mark.