Quoting Rob Siemborski <[EMAIL PROTECTED]>:

> On Fri, 2 Jan 2004, Christos Soulios wrote:
> > Rob Siemborski wrote:
> > > On Fri, 2 Jan 2004, Paul Boven wrote:
> > >
> > > The only argument I currently completely understand for an IP-only based
> > > setup is that of sites that need to distinguish ANONYMOUS users between
> > > domains (and prehaps that is good enough).
> >
> > What about being able to determine the virtual domain based on the ip
> > address and presenting different ssl certificate for each domain?  Even
> > presenting different host name, one that is in accordance to the ssl
> > certificate. All this happens long before authentication. Right? This
> > would be really nice to implement.
> You can do that in a model that still allows users to add an @ sign and a
> domain to their userid.

I cannot figure out how this can be achieved. And to make it clear, I will give
an example. 

I have two domains domain1.com and domain2.com which are hosted by the hosts
imap.domain1.com and imap.domain2.com respectively. These two servers must have
two different certificates with cn=imap.domain1.com and cn=imap.domain2.com 

When the user connects to the imap.domain1.com and long before the user
authentication takes place, the cyrus must be able to present the correct
certificate. Because most mail clients will not accept to connect to the imap
host imap.domain1.com and be presented a certificate with cn=imap.otherdomain.com

But how can cyrus be able to know which is the correct certificate to present?
Of course, not by retrieving the domain by the userid suffix. Then it is too
late. The authentication has already taken place. In my opinion this must have
taken place by the time the user connects. And then the only way for cyrus to
determine the correct virtual domain is _only_ using the ip address of the
server interface.  

Am I right or am I missing something here?


> The only way to get a win out of a model that disallows that feature is to
> come up with something where it actively causes problems.  And the SASL
> ANONYMOUS mechanism is about all I can currently see.
> -Rob
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper

Reply via email to