[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] [PATCH] Remote 3/8: Client-side



On Mon, 2007-05-14 at 09:27 +0100, Richard W.M. Jones wrote:
> Mark McLoughlin wrote:
> >   * Also, Postfix allows you to trust all clients with certs from 
> >     trusted CAs:
> > 
> >       http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
> > 
> >     It seems like an odd configuration option to me. You'd probably 
> >     only use this with a single trusted CA which you have direct 
> >     control over.
> 
> This is actually a common and useful configuration.
> 
> You set up your own CA and point the server's CACERT to your own CA's 
> certificate (and no other CA).  Then only the clients for which you 
> issue certificates can connect, and this is controlled by distribution 
> of the private keys, not by explicit access control lists.  If a private 
> key file goes AWOL then you can revoke it.

	Yes.

> Note that libvirtd _doesn't_ quite support this sort of access because 
> it doesn't support wildcards in the commonNames in the client 
> certificates, but that would be a useful and simple addition.

	I don't grok this ... why would you want a wildcard in the subjectName
of a client certificate?

	Or do you mean allowing wildcards in the access control list of client
subjectNames?

Cheers,
Mark.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]