It appears that Viktor Dukhovni <[email protected]> said: >> Browser does TLS client side auth presenting the cert it was issued. > >With TLSA 3 1 X records, this could be just a raw public key. > >> I am now authenticated against @phill.hallambaker.com. > >Yes, the general idea of the languishing draft. > >> This approach does need some changes to the browser but they are >> modest changes. I might even be able to implement them in my own >> browser PHB at some point. All it takes is an API that exposes the >> necessary hooks. > >I may be able to do add the relevant support in OpenSSL, DANE for server >certs is already implemented, ...
It is my impression that client certs are usually issued by an entity that signs them with its own private CA, so the server mostly checks that it recognizes the signature and then it knows what it signed. I understand how DANE client certs could work technically but I'm not seeing much real world use for them. I know what Bluesky does, but the domain names it hands out don't really exist so they aren't useful for federated anything. R's, John _______________________________________________ dane mailing list -- [email protected] To unsubscribe send an email to [email protected]
