Harondel J. Sibble wrote:
On 27 Sep 2008 at 13:22, mouss wrote:
if you have a commercial cert, you don't need a self signed cert. self signed certs are for people who don't want to get a cert signed by a 3d party (commercial or other). For email, you generally don't need a commercial certificate because your users know you and you know them, and because users don't connect to thousand imap servers.
Huh? I am looking to implement client side certificates which have to be installed on the end user device before they are able to connect to my mailserver.
Right. You need to keep track of what client certs you trust, so you really should be *at least* the immediate issuer (signer) of the client certs. The only reasons you would want your signing cert for those client certs to have a commercial issuer would be:
You want the client certs to be generally usable with those devices and servers other than your own.
The devices do not support the addition of new "root" certificates (i.e. your signing cert.)
I already have a commercial cert on the mailserver so that's a moot point.
It is also likely to be irrelevant. The signature chain of a server's cert does not influence what signing chain a client cert needs to have.
Secondly a client cert allows me to verify that the device connecting is allowed, this is secondary to any login info the user may have, ie 2 factor authentication, something you know (uid/password) and something you have (certificate).
That is only true if you are using a dependable mechanism to assure that users will actually be required to enter a password live rather than have their mail client save it