--On Wednesday, June 28, 2023 10:12 AM +1000 Sean Gallagher
<s...@teletech.com.au> wrote:
On 28/06/2023 3:41 am, Howard Chu wrote:
The point of a certificate-based authentication system is not to have to
implement authentication rules for each and every individual user.
It needn't be so fine grained. Just restrict the namespace of accepted
certs to that which the system integrator has authority over.
that CA should only be issuing certs to valid users. Ideally, the LDAP
server should be the CA
That is too opinionated for universal application. I am sure I am not
alone in choosing to use a public CA.
We use a public CA for the TLS sessions, and a private CA for
SASL/EXTERNAL. We run our own PKI on the AD side of things too. Using a
public CA for client certs seems very odd to me.
--Quanah
