On Tue, Apr 18, 2023 at 09:06:40PM -0300, Soni L. wrote:
> That seems particularly useful for federated networks (XMPP, etc). Why
> not call these server-to-server certs?
That's basically it. At least in OpenSSL, when a EKU extension is
present in the client certificate, it must allow client authentication
for the certificate check to pass validation.
However, some applications don't "validate" client certificates relative
to any trust anchor, and instead maintain explicit access control lists
of suitably authorised public keys (or enclosing certificates).
One low-volume, but actually employed use-case is
nullclient-to-smarthost MTA-to-MTA authentication, hence Postfix support
for relay access via client public key or cerificate fingerprints.
https://www.postfix.org/postconf.5.html#relay_clientcerts
https://www.postfix.org/postconf.5.html#check_ccert_access
The client certificate EKU is then irrelevant, but IIRC basicConstraints
may be enforced at the TLS layer (the certificate may need to be valid
for keyAgreement, the problem goes away with raw public keys :-).
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
