Quoting Rob Siemborski <[EMAIL PROTECTED]>:
On Fri, 2 Jan 2004, Christos Soulios wrote:
Rob Siemborski wrote:
On Fri, 2 Jan 2004, Paul Boven wrote:
The only argument I currently completely understand for an IP-only based setup is that of sites that need to distinguish ANONYMOUS users between domains (and prehaps that is good enough).
What about being able to determine the virtual domain based on the ip address and presenting different ssl certificate for each domain? Even presenting different host name, one that is in accordance to the ssl certificate. All this happens long before authentication. Right? This would be really nice to implement.
You can do that in a model that still allows users to add an @ sign and a domain to their userid.
I cannot figure out how this can be achieved. And to make it clear, I will give
an example.
I have two domains domain1.com and domain2.com which are hosted by the hosts
imap.domain1.com and imap.domain2.com respectively. These two servers must have
two different certificates with cn=imap.domain1.com and cn=imap.domain2.com
When the user connects to the imap.domain1.com and long before the user authentication takes place, the cyrus must be able to present the correct certificate. Because most mail clients will not accept to connect to the imap host imap.domain1.com and be presented a certificate with cn=imap.otherdomain.com
But how can cyrus be able to know which is the correct certificate to present?
Of course, not by retrieving the domain by the userid suffix. Then it is too
late. The authentication has already taken place. In my opinion this must have
taken place by the time the user connects. And then the only way for cyrus to
determine the correct virtual domain is _only_ using the ip address of the
server interface.
Am I right or am I missing something here?
IMO this should be handled by TLS. There is an extension (RFC 3546) to handle this, but I don't think its had wide deployment yet.
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp