<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 16 June 2019 20:27 Marvin Gülker via dovecot <
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot:
</div>
<blockquote type="cite">
<div>
You will save yourself from world of hurt if you use a dummy ca to sign
</div>
<div>
you smartcard cert. You can try without generating a CRL.
</div>
</blockquote>
<div>
I see. I've done that now, but the effort required seems to be
</div>
<div>
disproportionate. I'm just a single person. Requiring a full-blown CA
</div>
<div>
setup is like cracking breakfast eggs with a car. Now I not only have to
</div>
<div>
take care about my smartcard, but also of an almighty CA private key
</div>
<div>
that could be abused to impersonate me and that's not on my smartcard.
</div>
<div>
<br>
</div>
<div>
Don't get me wrong. Dovecot is great software, but I think that X.509
</div>
<div>
was most certainly not designed for the needs of small setups, up to a
</div>
<div>
point where I find working with it just frustrating. OpenSSL's very
</div>
<div>
unhelpful error messages ("engine error") certainly aren't
</div>
<div>
suitable to change my mind on the topic.
</div>
<div>
<br>
</div>
<div>
Anyway, thanks. Now I just need to figure out how to set up my mail
</div>
<div>
client for TLS client certificates...
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Blog:
<a href="https://mg.guelker.eu" rel="noopener" target="_blank">https://mg.guelker.eu</a>
</div>
</blockquote>
<div>
<br>
</div>
<div>
By specifying long enough validity and next crl day you could just safely discard the ca private key once all is signed. Long like 5 years at least.
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>