On Fri, May 16, 2025 at 09:23:13PM -0500, Grant Taylor via mailop wrote:
> On 5/16/25 6:19 AM, Gellner, Oliver via mailop wrote:
> > Thanks for the information. Using certificates from a third party for
> > client authentication, where you have no control what other certificates
> > are being issued and subsequently accepted by your server, has always
> > been a strange idea anyway.
>
> I don't have any problem with using certificates from a third party for
> client /authentication/.
>
> Just because a client is /authenticated/ doesn't mean that they are
> /authorized/ to do diddly squat.
>
> /Authorization/ should be based on the subject.
>
> I don't care how many certificates that Let's Encrypt (or any other CA) has
> issued. I make configure my MTA to verify that the client is
> /authenticated/ with a valid certificate *AND* that the subject of said
> certificate is /authorized/. It's a two part test. Combining the parts
> makes all the other certificates from the CA immaterial.
You probably should not trust the subject name of a client certificate
from a public CA to be a valid binding to local authorisation data.
In typical deployments that means you trust every CA/B forum public
CA to identify your authorised users, which would not be a good idea.
Since we're talking about mail, FWIW, Postfix does not directly support
making authorisation decisions based on the client certificate name,
instead "check_ccert_access" uses the server certificate or public key
digest as the lookup key for the access policy.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
