Le 18/04/2019 à 21:45, Viktor Dukhovni a écrit :
On Apr 18, 2019, at 12:01 PM, Wietse Venema <wie...@porcupine.org> wrote:
Eventually there will be a postfix-xxxx-nonprod release that combines
all the code (jay) and none of the guarantees (bleh).
I am not convinced that stuffing arbitrary PKI identities into a
SASL identity is necessarily a good idea. Maybe it is safer to solve
this problem without PKI-to-SASL cross-talk.
I would expect the mapping to be indirect. That is, a table lookup
key of either the client public key fingerprint to a SASL name (roughly
what we have now, but with an explicit RHS indicating the desired SASL
identity), or else the client's subject name in a standard (likely
RFC2254) form, again mapped to the desired identity, provided the
client certificate is from a trusted PKI issuer.
Yes I agree. The proposed sasl provider dance is for a quick hack to not
have to implement the client subject name table lookup.
Emmanuel.
