Hi Marc, Marc Sherman schrieb: > [EMAIL PROTECTED] wrote: >> How things work in exim with gnutls you have to find out yourself. But >> once you know the theory, things are easier to understand. From what you >> told us so far, the combination of exim and gnutls seems to not allow >> you to configure a client certificate as trusted. The rest is as expected. > > From Leon's original posting, it sounds like he already understands the > theory well enough -- the issue is that the process you suggest isn't > what's documented.
I didn't suggest any process. I described how PKI works, so we share a common foundation, on which we can build up our reasoning. > Having said that, the apparent implementation does seem sane WRT PKI > theory, If I can't delegate trust to a single client certificate, but have to delegate trust to a ca and use an PKI-external mechanism, ie. exim's ACLs to restrict that trust again, I wouldn't call that sane...but we have to live with the limitations of the crypto libraries used. and everything we want to do (such as trusting only a subset of > certs signed by the trusted roots) can be done with a combination of > this implementation and ACL conditions, As always, there are many ways to Rome :) Of course, if the underlying crypto libraries don't allow to delegate trust to non-root ca certificates, this discussion is academic and it should be noted in the specs that verification fails if the certificate chain can't be build up to a root ca certificate that is configured via the tls_verify_certificates option. From looking at the openssl docs, this seems to be the case indeed: "Firstly a certificate chain is built up starting from the supplied certificate and ending in the root CA. It is an error if the whole chain cannot be built up." Please note, that this is not required by PKI (unless you check for certificate revocation) nor by TLS. Additionally to a successful cryptographic verification process, one must always check that the certificate indeed belongs to the host presenting it, ie. the host's name (or ip address) should be stated in the certificate, either in its Subject field or in an SubjectAlternativeName extension field. Looking at the exim spec, it seems, $tls_peerdn unfortunately gives access only to the certificate's Subject field. Patrick Eisenacher -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
