On Thu, Feb 16, 2023 at 09:44:55PM +0100, Heiko Schlittermann via Exim-users wrote:
> > Is it at all possible with OpenSSL to stop the "system" location from
> > being checked? If not, that seems to make the use of TLS for client
> > authentication impossible because any certificate presented by
> > e.g. Google will pass verification. Am I reading this correctly?
>
> IMHO it shouldn't be sufficient accept any client that just has a
> verified certificate ("authenticated"). You should check, if the client
> is "authorized", by checking required certificate attributes (issuer,
> subject, …)
>
Some applications (want to) only accept client certificates issued by a
dedicated non-public CA, which amounts to an authorisation server. If
the CA gave you a cert, you're an authorised user of the application
until the cert expires (or is revoked, if the server application has
access to timely CRLs, ...)
They drank the PKI coolaid. I don't recommend this design. Often
simpler to just use a list of authorised public keys instead.
--
Viktor.
