On 5/19/25 11:54 PM, Eliot Lear via NANOG wrote:
Hi,
On 19.05.2025 03:27, Tom Beecher via NANOG wrote:
5. Bob verifies certificate A cryptographically, but since it is only
allowed to be used as Server Auth, not Client Auth, then*authentication*
fails.
Authentication: are you are who you say you are?
Authorization: Are you allowed to do something, or you're prohibited
from doing something.
The only reason anyone can claim this is authentication is because the
first question is answered not simply by the cryptographic validation
but the attestation of the signer, and the signer refuses to attest if
a key is used for purposes other than those the signer permits.
In other words, EKU is a horrible mishmash of authentication and
authorization because the signer is prohibiting the principal from
using the certificate for certain purposes. There are $REASONs for
this, but I'd really like to hear them.
I have always assumed $BUSINESSMODEL. More certs issued: $$. More
complicated and the potential for churn due to changing roles, etc?
PROFIT! Entangling authz is a great way to achieve that, even though
just a simple lookup for permissions, roles, etc, etc in an online
database (eg, LDAP, but it can be anything) is so much easier (and
natural, imo).
It's bad enough we're stuck with the legacy of certificates in a world
that largely doesn't need their unique capability (offline
verification), but entangling even more stuff with them like authz makes
a historical mess even worse.
Mike
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/DGL26FT5M7AIPGN4H2D6K7EFEYLOEYMY/
