Groups | Search | Server Info | Login | Register

Groups > comp.mail.sendmail > #8137

Re: Client Auth certificates, threat or menace?

From John Levine <johnl@taugh.com>
Newsgroups comp.mail.sendmail
Subject Re: Client Auth certificates, threat or menace?
Date 2025-05-20 20:18 +0000
Organization Taughannock Networks
Message-ID <100io2i$2ahf$1@gal.iecc.com> (permalink)
References <100iavl$13mj$1@gal.iecc.com> <100iip0$di9$1@news.misty.com>

Show all headers | View raw

According to Claus A�mann  <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>:
>John Levine  wrote:
>
>> By my understanding, the only place that a mail system uses Client
>> Authentication certs is that a submission client can present a cert
>> for SMTP AUTH rather than a username and a password. It's a niche
>
>There is more, see cf/README: Relaying.

Well, OK, but in practice that's a special case of submission.

>sendmail doesn't care about "EKU":
>
>sendmail.org.cert.pem
>Certificate:
>        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
>        X509v3 extensions:
>            X509v3 Key Usage: critical
>                Digital Signature, Key Encipherment
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Extended Key Usage:
>                TLS Web Server Authentication, TLS Web Client Authentication

That's not very helpful since that cert has both key usages.

The claim, which I'm not sure I believe, is that the calls to openssl have default values
that want the client flag.
-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Back to comp.mail.sendmail | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-20 16:35 +0000
  Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-20 14:48 -0400
    Re: Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-20 20:18 +0000
      Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-21 01:33 -0400
        Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-22 03:07 -0400
          Re: Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-22 20:09 +0000
        Re: Client Auth certificates, threat or menace? John Levine <johnl@taugh.com> - 2025-05-22 20:08 +0000
          Re: Client Auth certificates, threat or menace? Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org> - 2025-05-23 03:44 -0400

csiph-web