Harondel J. Sibble wrote:
On 27 Sep 2008 at 13:22, mouss wrote:
if you have a commercial cert, you don't need a self signed cert. self
signed certs are for people who don't want to get a cert signed by a 3d
party (commercial or other). For email, you generally don't need a
commercial certificate because your users know you and you know them,
and because users don't connect to thousand imap servers.
Huh? I am looking to implement client side certificates which have to be
installed on the end user device before they are able to connect to my
mailserver.
Right. You need to keep track of what client certs you trust, so you really
should be *at least* the immediate issuer (signer) of the client certs. The
only reasons you would want your signing cert for those client certs to have
a commercial issuer would be:
1. You want the client certs to be generally usable with those devices and
servers other than your own.
2. The devices do not support the addition of new "root" certificates (i.e.
your signing cert.)
I already have a commercial cert on the mailserver so that's a moot point.
It is also likely to be irrelevant. The signature chain of a server's cert
does not influence what signing chain a client cert needs to have.
Secondly a client cert allows me to verify that the device connecting is
allowed, this is secondary to any login info the user may have, ie 2 factor
authentication, something you know (uid/password) and something you have
(certificate).
That is only true if you are using a dependable mechanism to assure that
users will actually be required to enter a password live rather than have
their mail client save it
