20 May
2025
20 May
'25
5:46 p.m.
On 5/20/25 10:33 AM, Tom Beecher wrote:
Nobody in their right mind would want a login user to carry around a bundle of bits on their laptop of what they are authorized to do
EKU is not 'This certificate defines what the user is allowed to do'.
It is "This certificate is valid to authenticate ONLY IF it is being presented to you in a specific context."
Same difference: burying policy into an authentication token. What is the point? A backend presented with an authenticated identity can do the same thing far easier and far more scalable without any of the downsides like mentioned. A backend server doesn't even need a name/key binding borne by the client at all, let alone bearing policy info as well. Mike