It appears that Colin Constable via NANOG <[email protected]> said: >We use EKU to provide mTLS between components owned and run by other entities, >it is not truly authentication, as we have other methods to do that but it >does "keep the lumps out".
If the entities know who each other are, why do you and they need a public CA? >2) Create a shadow CA infra for non browser use cases - Which results in >fragmented CA (yuck!) It is my impression that the normal way to manage client certs is for the organization that runs the servers to sign and distribute certs to the clients. This isn't new. R's, John _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/UYNMKE57RUNMRGOVN6NA72HW5HOOGC3U/
