Client authentication via client certificate on ssl/tls
Pascal.Gienger at uni-konstanz.de
Fri Jul 2 07:06:47 EDT 2004
does anybody on the list already had the idea to use an information of a
client certificate for authentication in IMAPD?
There could be 3 solutions for it:
1. the TLS part can pass information of the presented client certificate to
imapd, so a normal anonymous login would be sufficient - the imapd process
would use an attribute of the client certificate as user-id.
2. Using an external X509 SASL mechanism - but this requires special
software on client side and you would present your client certificate 2
times: First in SSL handshake and second via "AUTHENTICATE".
3. you could use Kerberos 5 and a special signon program to get your ticket
and use GSSAPI as SASL mechanism.
1. has to be done in imapd and pop3d code.
2. has to be done via an x509 auxprop or external x509 authenticator.
3. means to build a kerberos5 infrastructure around failover kdc's. This
may work well for Windows boxes but how about other operating systems?
Would be nice to use client-cert-ssl on the whole campus to login for
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus