nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: brent saner via NANOG <nanog () lists nanog org>
Date: Fri, 23 May 2025 22:06:12 -0400
On Fri, May 23, 2025, 21:14 Grant Taylor via NANOG <nanog () lists nanog org>
wrote:


(SNIP)

If you have multiple servers on the Internet that MUST use a public CA
for various unassociated clients to trust the certificate and you want
to leverage a certificate for communications between the two servers,
then Occam's Razor / Parsimony would state that you use the simpler /
one solution.

Solution 1 is to have and re-use the existing certificates that you must
have from a single public CA.



Mixing public and private communication under a single resource is poor
practice.

Using a public CA as a trust authority for private resources using mTLS
auth offers no segregation nor least-access and relies wholly on individual
identity checking.

Better hope you didn't typo that regex!



Solution 2 is to have and use two separate certificate & key pairs, each
from a different CA, one public and the other private.



Technically they *can* have the same private key... the CA just signs a CSR
generated by a key.

BUT that aside, this is the objectively correct approach.

Under no circumstance should one use a public CA for verifying client
certificates.

Occam's Razor is for explaining phenomena. Taking the simplest approach for
*security design* with no regard for ramifications has a different term
applied: "lazy"[0].



[0] Or "low-hanging fruit", depending on if you're blue or red I suppose.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PZYPTYT3NJCYP6OPOL7UGY75WCCZZBGT/
Previous By Date Next
Previous By Thread Next

Current thread: