--On Wednesday, June 28, 2023 10:12 AM +1000 Sean Gallagher sean@teletech.com.au wrote:
On 28/06/2023 3:41 am, Howard Chu wrote:
The point of a certificate-based authentication system is not to have to implement authentication rules for each and every individual user.
It needn't be so fine grained. Just restrict the namespace of accepted certs to that which the system integrator has authority over.
that CA should only be issuing certs to valid users. Ideally, the LDAP server should be the CA
That is too opinionated for universal application. I am sure I am not alone in choosing to use a public CA.
We use a public CA for the TLS sessions, and a private CA for SASL/EXTERNAL. We run our own PKI on the AD side of things too. Using a public CA for client certs seems very odd to me.
--Quanah