Sam Varshavchik writes:
Lenz Weber writes:Hi, sorry, but I have not found any documentation on this: I see that I can add a CA certificate to TLS_TRUSTCERTS and then set TLS_VERIFYPEER to PEER to enable certificate authentication. But with just that setup, if one client key is compromised, I have to change the complete CA. Is there a way to revoke a single certificate?Nope. There is no support for revocation lists at this time.
Note, though, that you can achieve pretty much the same thing via authentication.
Client certificates work by having the code fish out the emailAddress attribute from the client's certificate and using it to log in. So, to effectively revoke the certificate, remove the login, and create another one, with a new certificate.
Even with /etc/passwd, you can have two entries in /etc/passwd with different login names, but same userid, groupid, and home directory. One is the public email address, the second one is for logging in. To effectively revoke a cert, the second one is removed, and replaced. So, one would have <[email protected]> as their public email address, and their certificate reads <[email protected]>, which logs into this mailbox. Left to its own devices, mail to either address would end up in the same mailbox, but so what. To "remove" the certificate, the <[email protected]> login gets deleted, and replaced with <[email protected]>, the public email address is unaffected.
pgpbhDaonpId3.pgp
Description: PGP signature
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
