nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Sun, 18 May 2025 21:27:47 -0400

"This identity may only be used for clients verifying servers," smells
like authorization to me.



It's not. It's "This certificate can only be used to authenticate me if it
is being used in the manner with which I specify."

Ex 1 :

1. Alice creates certificate A, with the EKU set to Server Auth Only.
2. Alice connects to Bob, says "Hello, I am Alice. " She has *identified*
herself.
3. Bob says "Hello, prove you are Alice."
4. Alice sends certificate A.
5. Bob verifies certificate A cryptographically, but since it is only
allowed to be used as Server Auth, not Client Auth, then *authentication*
fails.

No authorization of anything ever occurs here, because authentication has
failed.

Ex 2 :
1. Alice creates certificate A, with the EKU set to Client Auth Only.
2. Alice connects to Bob, says "Hello, I am Alice. " She has *identified*
herself.
3. Bob says "Hello, prove you are Alice."
4. Alice sends certificate A.
5. Bob verifies certificate A cryptographically, and it is allowed to be
used for Client Auth. *Authentication* succeeds.

Now that Alice has been authenticated, Bob can determine if she is
*authorized* to do the thing she is trying to do.



On Sun, May 18, 2025 at 8:11 PM William Herrin via NANOG <
nanog () lists nanog org> wrote:


On Sun, May 18, 2025 at 12:04 PM brent saner via NANOG
<nanog () lists nanog org> wrote:

On Sun, May 18, 2025, 10:27 William Herrin <bill () herrin us> wrote:

I'm unclear what distinction you're drawing between "identify" and
"authenticate." "I am who I say I am," is the sum total of
authentication. Everything beyond that gets into authorization.


I'd argue against that. "You *know me* as FOO and here is proof" is
authentication. Identity verification is only half of authentication

("here

is proof"), the other half is a mapping of entity/identity from that

("you

*know me* as").


Hi Brent,

This isn't parsing for me. You're mapping what to what?



(And then *what that entity* has access to (and how, etc.)
is authorization. I think we can all agree on that.)


"This identity may only be used for clients verifying servers," smells
like authorization to me. The purpose of signing an encryption key
(the thing letencrypt does) is to authenticate that the presented
encryption key belongs to the claimed identity, in this case a DNS
domain name. Not authorize it for a particular use.

Regards,
Bill Herrin


--
William Herrin
bill () herrin us
https://bill.herrin.us/
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/5Y4OLU5B6AQTZE3D7JGZAJTNJHRKWMNH/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/WSA25DS2LOT4T3AYJRO7CTNQGJE5XESE/
Previous By Date Next
Previous By Thread Next

Current thread: