On Fri, Apr 03, 2026 at 07:38:21AM +0000, Peter Gutmann wrote: > Nico Williams <[email protected]> writes: > >Recall that we're talking about constraining client certificate use here to > >just dNSName SAN certificates. Since KB5014754 at least the mapping of those > >to machine accounts from Active Directory should not be trivial to spoof by > >WebPKI CAs anymore. > > I'm not sure whether proposing AD (or some other equivalent, if there is one) > as a means of managing certificate access control is going to help or if it'll > just make things worse. [...]
I was not proposing any such thing. I was talking about how client certs might get mapped to powerful accounts on Windows given that's what had been mentioned earlier. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
