nanog mailing list archives
Re: Massive change in Public Cert behaviour coming soon
From: William Herrin via NANOG <nanog () lists nanog org>
Date: Sun, 18 May 2025 20:57:56 -0700
On Sun, May 18, 2025 at 6:28 PM Tom Beecher <beecher () beecher cc> wrote:
"This identity may only be used for clients verifying servers," smells like authorization to me.It's not. It's "This certificate can only be used to authenticate me if it is being used in the manner with which I specify."
Hi Tom, I'm pretty sure that is exactly wrong. You've mixed the authentication and authorization components. Identity is identity regardless of the use to which it is put. The certificate either authenticates its principal or it does not *before* considering any use to which that identity is put. Considering the use prior to establishing the veracity of the identity would be a pretty clear layer violation. You finish authentication first. *Then* you decide whether it's acceptable for the proposed transaction (authorization). You connect to me with SSH and enter "root" with the right password, you have authenticated yourself as root. I'm not gonna let you in because I've decided that root is not authorized to connect via ssh, but that has nothing to do with the authentication step. If you've figured out the password, you are verified to be root. See how that works? Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/DY73YVEUMLBXRDSCCXJR6PFYIJTQPKZW/
Current thread:
- Re: Massive change in Public Cert behaviour coming soon, (continued)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 19)
- Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 19)
- Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 27)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 27)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Massive change in Public Cert behaviour coming soon Colin Constable via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Eliot Lear via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)