On 29 Sep 2008 at 10:43, Bill Cole wrote:
Right. You need to keep track of what client certs you trust, so you really should be *at least* the immediate issuer (signer) of the client certs. The only reasons you would want your signing cert for those client certs to have a commercial issuer would be:
That's my intent to have full control over the client certs hence the reason for going with self signed certs for the client side.
- You want the client certs to be generally usable with those devices and servers other than your own.
I do not, this is only for use with my infrastructure and will be limited to a small handfull of people.
- The devices do not support the addition of new "root" certificates (i.e. your signing cert.)
Mix of devices, but primarily windows mobile, palm, symbian and blackberry handhelds. There will also be a few laptops.
It is also likely to be irrelevant. The signature chain of a server's cert does not influence what signing chain a client cert needs to have.
Ohh.... I was wondering about that...
Okay then so as long as Dovecot is set to check client certs and the client cert presented matches the check points, CN, domain name, user email etc, it'll just work?
That is only true if you are using a dependable mechanism to assure that users will actually be required to enter a password live rather than have their mail client save it
I've already beat that one into the couple of business partners that will be making use of this. Personally I don't ever save passwords, in browsers or otherwise as a matter of course so not an issue for me.
-- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)