On Thu, 24 Feb 2005, Kevin P. Fleming wrote:
I'm working on a webmail system using client certificates for authentication.
I have Cyrus IMAP working fine with Cyrus SASL and "AUTH=EXTERNAL" after
negotiating TLS... the IMAP daemon authenticate the user properly.
However, it chooses the CN from the client cert as the authentication
identity. With a bit of hacking to imap/tls.c I was able to convince it to
use the "email address" instead, but I'd rather not keep it this way...
^^^^^^^^^^^^^
What field is that, exaclty? v3 extension?
Anyway, the goal of authentication is to identify users not email
addresses. The whole idea of using certs is broken, unless you use
the cert itself. No CA makes any attempt to provide _unique_ information.
And the uniqueness of an email address it pretty weak. The only unique
info you can extract from a cert is the public key, which is what you're
actually using to identify the remote party.
There should be a way to associate public keys with cyrus usernames.
Of course, if your server trust only _one_ CA, and you have control
on how that CA works, you can use certs safely. You can make sure
CN data (or any data) is unique.
BTW, I've used EXTERNAL myself, but only for lmtp, and to identify
servers. And I used an internal CA. CN was server name, and I'm
pretty sure there's no other cert with that CN data.
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ [EMAIL PROTECTED]
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
