Re: Massive change in Public Cert behaviour coming soon

[William Herrin via NANOG <nanog () lists nanog org>]

On Mon, May 19, 2025 at 5:36 AM Tom Beecher <beecher () beecher cc> wrote:
> > I'll buy the argument that our happy fun certificates from letsencrypt
> > intentionally include an authorization component if you care to make
> > that argument.
>
> You could state that the certificate says "Here are my identification credentials,
> but I only authorize you to accept them if they have been presented to you while
> doing FOO."  This is semantically correct , it's just not common verbiage used
> to describe what is occurring

Hi Tom,

I will buy that and confess to being pedantic about it.


> "The authentication was complete when the identity was verified" is also
> verbiage that's clunky, and also not accurate. When PKI is used,
> authentication only is completed after a certificate is processed
> and passed as valid. ( RFC5280, Sec 6.1.3 - 6.1.5. ) In the example
> given, if the cert has a critical EKU of id-kp-serverAuth , and it's presented
> as clientAuth, the cert processing fails, therefore authentication did not succeed.

My point, the one where this pedantry started, was that this is yet
another example of IETF layer violation: instead of a clean
authentication step, they added authorization stuff in there, the
"extended key usage" elements. Protocol layer violations usually cause
trouble somewhere down the line as this one may be doing now.

Regards,
Bill Herrin



-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/YII27DYR6S7C43M2JB2ZPPSJYVPUP7W5/