The mailing list for listmasters using Sympa

[Olivier Salaun <address@concealed>]

Hi Tanel,

Tanel Kokk wrote:
> 
> Is there any possibility (using scenarios, templeates) to authenticate
> users by user x509-certificate installed browser' certificate database.
>
> My purpose is to use restricted web_archive capabilty (for example:
> allowed only for subscribers), but I don't like password based
> authentication/authorization.

Sympa allows this : if accessed via HTTPS with a user certificate, it 
authenticates
the user without email/password.

> I don't understand, what does it mean in access_web_archive.* scenarios:
> true()  md5,smime -> do_it

Scenarios are used both for mail commands and the web.
'md5' means either :
        o mail confirmation (mail)
        o password (web)
'smime' means either :
        o S/MIME signed (mail)
        o HTTPS with user certificate (web)

This scenario rule allows archive access to anyone (true()) who is
authenticated either with password or S/MIME.

> How can I use SMIME (signed mail) authentication on web-based
> application?

Almost all scenarios provide X509-authenticated users at least the set
of privilege password-authenticated have. Which means that you don't
need to adapt scenarios for X509.

All you have to do is :
        o install OpenSSL
        o create an alias for WWS in your HTTPS virtual web server
        o set the following parameters in sympa.conf : openssl, 
trusted_ca_options,
          key_password

Sympa will share the trusted CAs with Apache.
It also provides :
        o message encryption (in list having a certificate)
        o authentication based on S/MIME signature
        o user certificates management

Sympa documentation includes a whole chapter about S/MIME and HTTPS :
http://listes.cru.fr/sympa/distribution/current/doc/sympa/node8.html

This article is also of interrest :
http://listes.cru.fr/sympa/documentation/article_smime/sympasmime.html

--
Olivier Salaün
Comité Réseau des Universités