On Thu, May 22, 2025 at 3:18 AM nanog--- via NANOG <[email protected]> wrote: > By specifying that a key is only used for server authentication, it prevents a > hypothetical class of attacks where, say, you present one server's certificate > as a client certificate to another server, pass traffic between the two > servers > - successfully authenticating as something you aren't, but still being unable > to forge messages, but the connection may still have unintended effects > (see cross-protocol request forgery).
A certificate authenticates an encryption public key and the identity claimed to be associated with it. A man in the middle can pass that key onward, but he won't be able to encrypt or decrypt anything with the associated private key since he does not possess the associated private key. This works in either direction which is rather the point. Regards, Bill Herrin -- William Herrin [email protected] https://bill.herrin.us/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/XFP4PKYGWI47D5DYNEELL3NY3VXOQ4EK/
