“On my personal to-do list is to implement a simple X.509-CA for
issuing short-term client certs, with a CLI tool to directly manipulate
Thunderbird and Firefox key/cert DB.”
As in you are planning to build such a suite and put up on GH for all of
us to use as well???
If so, would love to learn of your progress in that realm…
- - -
On 27 Apr 2022, at 9:45, Michael Ströder wrote:
On 4/27/22 18:36, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:27 pm, Michael Ströder <mich...@stroeder.com>
wrote:
one way to authenticate may be using Kerberos.
Not recommended for roaming users accessing submission service via
public Internet.
Suitability depends on the user base, ... my personal mail server
indeed supports SASL GSSAPI submission. There are no users with
weak passwords.
Strictly speaking you would have to say SASL GSSAPI with Kerberos 5
because...
Note also that in principle GSSAPI can support all sorts of novel
authentication mechanisms,
...you're of course right that GSSAPI is also a generic layer.
The layering of SASL over GSSAPI is somewhat redundant,
Agreed.
But my concern is rather that I would not connect my KDC to the
Internet (for now leaving aside approaches like proxy KCM).
In general I'm leaning more towards using asymmetric keys for authc.
On my personal to-do list is to implement a simple X.509-CA for
issuing short-term client certs, with a CLI tool to directly
manipulate Thunderbird and Firefox key/cert DB.
Ciao, Michael.
