On Mon, Jan 30, 2012 at 05:44:00PM -0500, Adam Langley wrote:
> However, when CAfile consists of a complete list of public CAs, as
> seems quite common, the guidance is rather superfluous and the
> CertificateRequest is huge. For example, try:
Don't use a large list of CAs in a CAfile, that's what CApath is for.
http://www.postfix.org/TLS_README.html#server_cert_key
...
When you configure the Postfix SMTP server to request client
certificates, the DNs of certificate authorities in $smtpd_tls_CAfile
are sent to the client, in order to allow it to choose an identity
signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no
preferred CA list is sent, and the client is free to choose an
identity signed by any CA. Many clients use a fixed identity
regardless of the preferred CA list and you may be able to reduce
TLS negotiation overhead by installing client CA certificates mostly
or only in $smtpd_tls_CApath. In the latter case you need not
specify a $smtpd_tls_CAfile.
No patch is required, users should not configure huge CAfiles.
--
Viktor.
