[RFC] EXTERNAL auth choosing between CN and email address?
Marco Colombo
marco at esi.it
Thu Feb 24 06:24:40 EST 2005
On Thu, 24 Feb 2005, Kevin P. Fleming wrote:
> I'm working on a webmail system using client certificates for authentication.
>
> I have Cyrus IMAP working fine with Cyrus SASL and "AUTH=EXTERNAL" after
> negotiating TLS... the IMAP daemon authenticate the user properly.
>
> However, it chooses the CN from the client cert as the authentication
> identity. With a bit of hacking to imap/tls.c I was able to convince it to
> use the "email address" instead, but I'd rather not keep it this way...
^^^^^^^^^^^^^
What field is that, exaclty? v3 extension?
Anyway, the goal of authentication is to identify users not email
addresses. The whole idea of using certs is broken, unless you use
the cert itself. No CA makes any attempt to provide _unique_ information.
And the uniqueness of an email address it pretty weak. The only unique
info you can extract from a cert is the public key, which is what you're
actually using to identify the remote party.
There should be a way to associate public keys with cyrus usernames.
Of course, if your server trust only _one_ CA, and you have control
on how that CA works, you can use certs safely. You can make sure
CN data (or any data) is unique.
BTW, I've used EXTERNAL myself, but only for lmtp, and to identify
servers. And I used an internal CA. CN was server name, and I'm
pretty sure there's no other cert with that CN data.
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo at ESI.it
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list