On 23/03/2010 16:41, Victor Duchovni wrote: > Having noticed the many pitfalls of parsing X.509 certs, and written > careful code to parse them (and avoided Postfix being linked to > vulnerabilities later found in most certificate parsers), I am reluctant > to ask Postfix users to write robust X.509 parsing code in their own > policy service code.
True. On the other hand, the admins responsible for setting the institution information (most importantly: 'Organisation') in the certificate are also the ones that need to check for it. And the most likely scenario will be that you want to check if a certificate belongs to one of your own users. Since you put that data in, it should be possible to establish some positive confirmation on that. I can see that writing a X.509 parser is non-trivial. Maybe this is totally the wrong idea, but would it be possible to reuse the SSLRequire code of Apache in a new check_ccert_x, or possibly in a policy daemon? http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire That option looks exactly like what we need... > Do your users actually want to install and use client certs? Do they > have them in any case for other reasons? They don't have them now, but they will soon, and so will thousands of others users: https://www.terena.org/activities/tcs/ Right now nobody has them, so nobody uses them. TERENA has taken the initiative to break this circle and to make them really available to our community. The same approach was used for the TERENA server certificates, which were introduced a couple of years ago. Currently there are about 30.000 servers in the European research and education area field that use those certificates. It is expected that the same will happen with the personal (client) certificates: once it is very easy and convenient to get one, certificate based services will get used more and more. Lots of postmasters in the academic and research networking area will want to use this. The TERENA Certificate Service is aimed at European NRENs, which means in principle all students/employees/etc of higher education and research institutes. So there is a huge potential. -- Dick Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 vis...@terena.org | www.terena.org
smime.p7s
Description: S/MIME Cryptographic Signature
