Re: Massive change in Public Cert behaviour coming soon

[Grant Taylor via NANOG <nanog () lists nanog org>]

On 5/22/25 2:58 PM, John Levine via NANOG wrote:
> If the entities know who each other are, why do you and they need a 
> public CA?

Occam's Razor / Parsimony.

> It is my impression that the normal way to manage client certs is for 
> the organization that runs the servers to sign and distribute certs 
> to the clients.  This isn't new.

If you have multiple servers on the Internet that MUST use a public CA 
for various unassociated clients to trust the certificate and you want 
to leverage a certificate for communications between the two servers, 
then Occam's Razor / Parsimony would state that you use the simpler / 
one solution.

Solution 1 is to have and re-use the existing certificates that you must 
have from a single public CA.

Solution 2 is to have and use two separate certificate & key pairs, each 
from a different CA, one public and the other private.



--
Grant. . . .
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/MU7M5MZEPFTL2YYTBD5C4Q7OJK7FU36P/