Re: [exim] TLS authentication

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLS authentication
On Thu, Feb 16, 2023 at 09:44:55PM +0100, Heiko Schlittermann via Exim-users wrote:

> > Is it at all possible with OpenSSL to stop the "system" location from
> > being checked? If not, that seems to make the use of TLS for client
> > authentication impossible because any certificate presented by
> > e.g. Google will pass verification. Am I reading this correctly?
>
> IMHO it shouldn't be sufficient accept any client that just has a
> verified certificate ("authenticated"). You should check, if the client
> is "authorized", by checking required certificate attributes (issuer,
> subject, …)
>


Some applications (want to) only accept client certificates issued by a
dedicated non-public CA, which amounts to an authorisation server. If
the CA gave you a cert, you're an authorised user of the application
until the cert expires (or is revoked, if the server application has
access to timely CRLs, ...)

They drank the PKI coolaid. I don't recommend this design. Often
simpler to just use a list of authorised public keys instead.

-- 
    Viktor.