Client authentication via client certificate on ssl/tls

[Pascal Gienger]

Hi,

does anybody on the list already had the idea to use an information of a 
client certificate for authentication in IMAPD?

There could be 3 solutions for it:

1. the TLS part can pass information of the presented client certificate to 
imapd, so a normal anonymous login would be sufficient - the imapd process 
would use an attribute of the client certificate as user-id.

2. Using an external X509 SASL mechanism - but this requires special 
software on client side and you would present your client certificate 2 
times: First in SSL handshake and second via "AUTHENTICATE".

3. you could use Kerberos 5 and a special signon program to get your ticket 
and use GSSAPI as SASL mechanism.

1. has to be done in imapd and pop3d code.
2. has to be done via an x509 auxprop or external x509 authenticator.
3. means to build a kerberos5 infrastructure around failover kdc's. This 
may work well for Windows boxes but how about other operating systems?

Would be nice to use client-cert-ssl on the whole campus to login for 
services.

Pascal
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html