On Mon, May 19, 2025 at 5:36 AM Tom Beecher <[email protected]> wrote: >> I'll buy the argument that our happy fun certificates from letsencrypt >> intentionally include an authorization component if you care to make >> that argument. > > You could state that the certificate says "Here are my identification > credentials, > but I only authorize you to accept them if they have been presented to you > while > doing FOO." This is semantically correct , it's just not common verbiage used > to describe what is occurring
Hi Tom, I will buy that and confess to being pedantic about it. > "The authentication was complete when the identity was verified" is also > verbiage that's clunky, and also not accurate. When PKI is used, > authentication only is completed after a certificate is processed > and passed as valid. ( RFC5280, Sec 6.1.3 - 6.1.5. ) In the example > given, if the cert has a critical EKU of id-kp-serverAuth , and it's presented > as clientAuth, the cert processing fails, therefore authentication did not > succeed. My point, the one where this pedantry started, was that this is yet another example of IETF layer violation: instead of a clean authentication step, they added authorization stuff in there, the "extended key usage" elements. Protocol layer violations usually cause trouble somewhere down the line as this one may be doing now. Regards, Bill Herrin -- William Herrin [email protected] https://bill.herrin.us/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/YII27DYR6S7C43M2JB2ZPPSJYVPUP7W5/
