nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: William Herrin via NANOG <nanog () lists nanog org>
Date: Sun, 18 May 2025 17:10:15 -0700
On Sun, May 18, 2025 at 12:04 PM brent saner via NANOG
<nanog () lists nanog org> wrote:

On Sun, May 18, 2025, 10:27 William Herrin <bill () herrin us> wrote:

I'm unclear what distinction you're drawing between "identify" and
"authenticate." "I am who I say I am," is the sum total of
authentication. Everything beyond that gets into authorization.


I'd argue against that. "You *know me* as FOO and here is proof" is
authentication. Identity verification is only half of authentication ("here
is proof"), the other half is a mapping of entity/identity from that ("you
*know me* as").


Hi Brent,

This isn't parsing for me. You're mapping what to what?



(And then *what that entity* has access to (and how, etc.)
is authorization. I think we can all agree on that.)


"This identity may only be used for clients verifying servers," smells
like authorization to me. The purpose of signing an encryption key
(the thing letencrypt does) is to authenticate that the presented
encryption key belongs to the claimed identity, in this case a DNS
domain name. Not authorize it for a particular use.

Regards,
Bill Herrin


--
William Herrin
bill () herrin us
https://bill.herrin.us/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/5Y4OLU5B6AQTZE3D7JGZAJTNJHRKWMNH/
Previous By Date Next
Previous By Thread Next

Current thread: