On Mon, Jan 30, 2012 at 11:19:51PM +0000, Viktor Dukhovni wrote:
> On Mon, Jan 30, 2012 at 05:44:00PM -0500, Adam Langley wrote:
>
> > However, when CAfile consists of a complete list of public CAs, as
> > seems quite common, the guidance is rather superfluous and the
> > CertificateRequest is huge. For example, try:
>
> Don't use a large list of CAs in a CAfile, that's what CApath is for.
>
> http://www.postfix.org/TLS_README.html#server_cert_key
>
> ...
>
> When you configure the Postfix SMTP server to request client
> certificates, the DNs of certificate authorities in $smtpd_tls_CAfile
> are sent to the client, in order to allow it to choose an identity
> signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no
> preferred CA list is sent, and the client is free to choose an
> identity signed by any CA. Many clients use a fixed identity
> regardless of the preferred CA list and you may be able to reduce
> TLS negotiation overhead by installing client CA certificates mostly
> or only in $smtpd_tls_CApath. In the latter case you need not
> specify a $smtpd_tls_CAfile.
>
> No patch is required, users should not configure huge CAfiles.
If there is a compelling case for customizing the CA list separately
from CAfile, the right interface would I think not be a boolean to
suppress the CAfile, but rather a separate parameter to specify the
CAs to send, which defaults to "$smtpd_tls_CAfile".
Most SMTP servers don't ask for client certs, and those that do, typically
have short CAfiles that list only private-label CAs...
--
Viktor.
