Mark McLoughlin wrote:
* Also, Postfix allows you to trust all clients with certs from
trusted CAs:
http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
It seems like an odd configuration option to me. You'd probably
only use this with a single trusted CA which you have direct
control over.
This is actually a common and useful configuration.You set up your own CA and point the server's CACERT to your own CA's certificate (and no other CA). Then only the clients for which you issue certificates can connect, and this is controlled by distribution of the private keys, not by explicit access control lists. If a private key file goes AWOL then you can revoke it.
Note that libvirtd _doesn't_ quite support this sort of access because it doesn't support wildcards in the commonNames in the client certificates, but that would be a useful and simple addition.
Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature