nanog mailing list archives
Re: Massive change in Public Cert behaviour coming soon
From: Grant Taylor via NANOG <nanog () lists nanog org>
Date: Fri, 23 May 2025 20:02:07 -0500
On 5/23/25 10:08 AM, John R. Levine via NANOG wrote:
I'm having trouble coming up with plausible scenarios where the only thing you know about a client is that some CA said their domain is OK.
You don't know that a client is ok.What you do know is that a CA said that the entity with the certificate and corresponding key is a stated identity; e.g. the subject.
Look at Kerberos, the KDC doesn't say anything other than the ticket holder has proven their identity to the KDC, ostensibly with username & password or something stronger.
The Kerberized server uses the ticket that the client provided it as verification of identity from the common trusted source; the KDC.
None of Kerberos, usernames & passwords, TLS client certificates actually say anything about the credentials not being compromised. They state / demonstrate that the entity using said ticket, U&P, cert have access to the necessary knowledge / data to validate as the claimed identity.
Similar to how HTTPS only speaks to the connection to the server being encrypted, and nothing about the safety of visiting the site.
-- Grant. . . . _______________________________________________NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/S6FGSBRZ4LKDVQQVD3E3WN6OHKPK7BPH/
Current thread:
- Re: Massive change in Public Cert behaviour coming soon, (continued)
- Re: Massive change in Public Cert behaviour coming soon Eliot Lear via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Bjørn Mork via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon William Herrin via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Bjørn Mork via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Michael Thomas via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Eliot Lear via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Chris Adams via NANOG (May 27)
- Re: Trivial change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 27)