On Tue, Apr 18, 2023 at 09:06:40PM -0300, Soni L. wrote:
> That seems particularly useful for federated networks (XMPP, etc). Why > not call these server-to-server certs? That's basically it. At least in OpenSSL, when a EKU extension is present in the client certificate, it must allow client authentication for the certificate check to pass validation. However, some applications don't "validate" client certificates relative to any trust anchor, and instead maintain explicit access control lists of suitably authorised public keys (or enclosing certificates). One low-volume, but actually employed use-case is nullclient-to-smarthost MTA-to-MTA authentication, hence Postfix support for relay access via client public key or cerificate fingerprints. https://www.postfix.org/postconf.5.html#relay_clientcerts https://www.postfix.org/postconf.5.html#check_ccert_access The client certificate EKU is then irrelevant, but IIRC basicConstraints may be enforced at the TLS layer (the certificate may need to be valid for keyAgreement, the problem goes away with raw public keys :-). -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls