On 5/16/25 6:19 AM, Gellner, Oliver via mailop wrote:
Thanks for the information. Using certificates from a third party
for client authentication, where you have no control what other
certificates are being issued and subsequently accepted by your server,
has always been a strange idea anyway.
I don't have any problem with using certificates from a third party for
client /authentication/.
Just because a client is /authenticated/ doesn't mean that they are
/authorized/ to do diddly squat.
/Authorization/ should be based on the subject.
I don't care how many certificates that Let's Encrypt (or any other CA)
has issued. I make configure my MTA to verify that the client is
/authenticated/ with a valid certificate *AND* that the subject of said
certificate is /authorized/. It's a two part test. Combining the parts
makes all the other certificates from the CA immaterial.
--
Grant. . . .
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
