[Dovecot] client certs with godaddy ssl cert
Harondel J. Sibble
help at pdscc.com
Mon Sep 29 22:48:35 EEST 2008
On 29 Sep 2008 at 10:43, Bill Cole wrote:
> Right. You need to keep track of what client certs you trust, so you really
> should be *at least* the immediate issuer (signer) of the client certs. The
> only reasons you would want your signing cert for those client certs to have
> a commercial issuer would be:
That's my intent to have full control over the client certs hence the reason
for going with self signed certs for the client side.
> 1. You want the client certs to be generally usable with those devices and
> servers other than your own.
I do not, this is only for use with my infrastructure and will be limited to
a small handfull of people.
> 2. The devices do not support the addition of new "root" certificates (i.e.
> your signing cert.)
Mix of devices, but primarily windows mobile, palm, symbian and blackberry
handhelds. There will also be a few laptops.
> It is also likely to be irrelevant. The signature chain of a server's cert
> does not influence what signing chain a client cert needs to have.
Ohh.... I was wondering about that...
Okay then so as long as Dovecot is set to check client certs and the client
cert presented matches the check points, CN, domain name, user email etc,
it'll just work?
> That is only true if you are using a dependable mechanism to assure that
> users will actually be required to enter a password live rather than have
> their mail client save it
I've already beat that one into the couple of business partners that will be
making use of this. Personally I don't ever save passwords, in browsers or
otherwise as a matter of course so not an issue for me.
--
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax) (604) 686-2253 (pager)
More information about the dovecot
mailing list