On Mon, 2007-05-14 at 09:27 +0100, Richard W.M. Jones wrote: > Mark McLoughlin wrote: > > * Also, Postfix allows you to trust all clients with certs from > > trusted CAs: > > > > http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts > > > > It seems like an odd configuration option to me. You'd probably > > only use this with a single trusted CA which you have direct > > control over. > > This is actually a common and useful configuration. > > You set up your own CA and point the server's CACERT to your own CA's > certificate (and no other CA). Then only the clients for which you > issue certificates can connect, and this is controlled by distribution > of the private keys, not by explicit access control lists. If a private > key file goes AWOL then you can revoke it. Yes. > Note that libvirtd _doesn't_ quite support this sort of access because > it doesn't support wildcards in the commonNames in the client > certificates, but that would be a useful and simple addition. I don't grok this ... why would you want a wildcard in the subjectName of a client certificate? Or do you mean allowing wildcards in the access control list of client subjectNames? Cheers, Mark.