3 Oct
2003
3 Oct
'03
5:48 p.m.
On Wed, 2003-10-01 at 13:37, Bert Koelewijn wrote:
most modern enterprises make use of a Public Key Infrastructure. It would be nice to have dovecot check a client certificate instead of a password. This makes life much easier and more secure. Mail clients like Mozilla and MS Outlook do support this. What do you think of the following feature request:
- Client authenticates with a certificate via SSL. (Like stunnel can)
- Dovecot looks the username up in a table with (public key, username)
- The mailclient gives a name and password, but dovecot ignores them
- Dovecot gives the client access by the username found in the table
I've thought about it before myself a few times. I'm not against such patch, but I don't think I'll implement it myself anytime soon.
Doing this also worries me a bit. Wasn't the recent security hole in OpenSSL just in the client certificate parsing? SSL cert authentication would have to rely on OpenSSL (or GNUTLS).