> On Apr 19, 2019, at 1:10 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
>> Using a name instead of cert fingerprint also requires revocation checking.
>
> Cert revocation is not needed, as long as there is an an explicit
> mapping like:
>
> certificate identity -> permit/etc action
> certificate identity -> ersatz SASL login name
>
> By removing such a mapping, one can 'revoke' the privileges that
> were associated with the certificate.'
My thoughts exactly! We should probably document this:
Note: No revocation checks are performed. To revoke privileges,
remove the table entry matching a given certificate or "subject".
As for "CN" matching, I'm concerned that multiple certificates can have
the same CN, which is not required unique, especially if the certificates
have different "O" or "OU" values. What's more likely to be unique is
an rfc822Name subjectAlternative name, or the full subject DN. More
recently, we also have SmtpUTF8Mailbox:
https://tools.ietf.org/html/rfc8398#section-3
So I think that more thought needs to go into what lookup key or
keys are extract from the candidate certificates. This may need
to be configurable, or we could try:
1. The full subject DN (in RFC2854 form, suitably quoted).
2. Each rfc822Name SAN.
3. Each SmtpUTF8Mailbox (note U-label domain part).
--
Viktor.
