On Mon, Jan 30, 2012 at 07:13:11PM -0500, Adam Langley wrote:
> > If there is a compelling case for customizing the CA list separately
> > from CAfile, the right interface would I think not be a boolean to
> > suppress the CAfile, but rather a separate parameter to specify the
> > CAs to send, which defaults to "$smtpd_tls_CAfile".
>
> Yep, that makes sense to. Happy to rework the patch if folks like
> that, although I suspect that a real Postfix developer would throw it
> away and do it right in either case.
Your patch looked just fine, but to be complete it needs to also
patch the documentation, the code is the easy part. Before you
invest some effort in that direction, we need to answer the question
of whether this is worth the trouble.
Very few users have ask_ccert turned on, and the current CAfile is
sufficient to the task. Even with ask_ccert enabled, why list every
CA on the planet in CAfile? Just list the ones you are willing to
trust, if any and use CApath if clients don't need the CA hints. Unlike
browsers, most MUAs will likely not prompt the user for certificate
selection.
So I am not yet convinced this warrants the addition of any new parameters,
when judicious use of the existing ones (be it with a greater understanding
of their behaviour) is sufficient.
--
Viktor.
