also sprach Craig Sanders <firstname.lastname@example.org> [2005.01.26.1249 +0100]: > > However, so far I have been using 1 year expiration on the > > certificates, and it's a major pain to get new certificates out to > > each of about 280 clients, > > so use 5 year or 10 year expiration. What's the advantage of using that over passwords? > installing the cert is up to the end-user, unless their machine is > a *nix/postfix (or whatever) box that you have root on. I am root on their machines. If they were all accessible at all times, no problem. As it stands, I get a call from xyz behind a fascist firewall in need of a new certificate. What to do if I cannot SSH into the box? Hand them the root password? I don't think so... > reload is only needed if you change main.cf or any text map files > (including pcre or regexp maps). Yeah, you are right. It takes years to kill a habit. > e.g wghat exactly is a /usr/sbin/sendmail provider? and how does > it differ from having an MTA on the client host? or even an > smtp-capable MUA? I want a /usr/sbin/sendmail which uses ~/.sendmailrc or the like of the calling user to determine what to do with the message. Some users may want to use SASL, others may want to use a local forwarder... > btw, if you are root on the client machines, doesnt that make > installation of cerificates a) easy and b) easily automated? See above. Yes, if the machines are reachable. No in all practical configurations. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <email@example.com> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Description: Digital signature