> > "This identity may only be used for clients verifying servers," smells > like authorization to me.
It's not. It's "This certificate can only be used to authenticate me if it is being used in the manner with which I specify." Ex 1 : 1. Alice creates certificate A, with the EKU set to Server Auth Only. 2. Alice connects to Bob, says "Hello, I am Alice. " She has *identified* herself. 3. Bob says "Hello, prove you are Alice." 4. Alice sends certificate A. 5. Bob verifies certificate A cryptographically, but since it is only allowed to be used as Server Auth, not Client Auth, then *authentication* fails. No authorization of anything ever occurs here, because authentication has failed. Ex 2 : 1. Alice creates certificate A, with the EKU set to Client Auth Only. 2. Alice connects to Bob, says "Hello, I am Alice. " She has *identified* herself. 3. Bob says "Hello, prove you are Alice." 4. Alice sends certificate A. 5. Bob verifies certificate A cryptographically, and it is allowed to be used for Client Auth. *Authentication* succeeds. Now that Alice has been authenticated, Bob can determine if she is *authorized* to do the thing she is trying to do. On Sun, May 18, 2025 at 8:11 PM William Herrin via NANOG < [email protected]> wrote: > On Sun, May 18, 2025 at 12:04 PM brent saner via NANOG > <[email protected]> wrote: > > On Sun, May 18, 2025, 10:27 William Herrin <[email protected]> wrote: > > > I'm unclear what distinction you're drawing between "identify" and > > > "authenticate." "I am who I say I am," is the sum total of > > > authentication. Everything beyond that gets into authorization. > > > > I'd argue against that. "You *know me* as FOO and here is proof" is > > authentication. Identity verification is only half of authentication > ("here > > is proof"), the other half is a mapping of entity/identity from that > ("you > > *know me* as"). > > Hi Brent, > > This isn't parsing for me. You're mapping what to what? > > > > (And then *what that entity* has access to (and how, etc.) > > is authorization. I think we can all agree on that.) > > "This identity may only be used for clients verifying servers," smells > like authorization to me. The purpose of signing an encryption key > (the thing letencrypt does) is to authenticate that the presented > encryption key belongs to the claimed identity, in this case a DNS > domain name. Not authorize it for a particular use. > > Regards, > Bill Herrin > > > -- > William Herrin > [email protected] > https://bill.herrin.us/ > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/5Y4OLU5B6AQTZE3D7JGZAJTNJHRKWMNH/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/WSA25DS2LOT4T3AYJRO7CTNQGJE5XESE/
