Dear Timo, most modern enterprises make use of a Public Key Infrastructure. It would be nice to have dovecot check a client certificate instead of a password. This makes life much easier and more secure. Mail clients like Mozilla and MS Outlook do support this. What do you think of the following feature request: - Client authenticates with a certificate via SSL. (Like stunnel can) - Dovecot looks the username up in a table with (public key, username) - The mailclient gives a name and password, but dovecot ignores them - Dovecot gives the client access by the username found in the table This way existing mail clients can use this system and you can save your username with an empty password. Best Regards, Bert Koelewijn
Aloha! At 12:37 01/10/2003 +0200, Bert Koelewijn wrote:>Dear Timo, > >most modern enterprises make use of a Public Key Infrastructure. It would >be nice to have dovecot check a client certificate instead of a password. >This makes life much easier and more secure. >Mail clients like Mozilla and MS Outlook do support this. What do you >think of the following feature request: > >- Client authenticates with a certificate via SSL. (Like stunnel can) >- Dovecot looks the username up in a table with (public key, username) >- The mailclient gives a name and password, but dovecot ignores them >- Dovecot gives the client access by the username found in the table > >This way existing mail clients can use this system and you can save your >username with an empty password.Wouldn't it be much better to take the list of valid usernames from X.509 extension fields instead of a lookup table? That way the usernames are also verified and trusted information. dovecot-auth would then allow the client to log in with any of the certified usernames using any arbitrary password, or to additional usernames using the correct password. Of course, one could also use attribute certificates... :) Anyway, one thing to remember might be that a ceritifcate usually identifies a person, not an account, so if a lookup table is used it should allow the person to have more than one account, and dovecot should allow that person into any one of them. Which one the person wants would be indicated by the username given to LOGIN. Regards, Andy
On Wed, 2003-10-01 at 13:37, Bert Koelewijn wrote:> most modern enterprises make use of a Public Key Infrastructure. It > would be nice to have dovecot check a client certificate instead of a > password. This makes life much easier and more secure. > Mail clients like Mozilla and MS Outlook do support this. What do you > think of the following feature request: > > - Client authenticates with a certificate via SSL. (Like stunnel can) > - Dovecot looks the username up in a table with (public key, username) > - The mailclient gives a name and password, but dovecot ignores them > - Dovecot gives the client access by the username found in the tableI've thought about it before myself a few times. I'm not against such patch, but I don't think I'll implement it myself anytime soon. Doing this also worries me a bit. Wasn't the recent security hole in OpenSSL just in the client certificate parsing? SSL cert authentication would have to rely on OpenSSL (or GNUTLS).