On Sun, May 18, 2025 at 12:04 PM brent saner via NANOG <nanog@lists.nanog.org> wrote:
On Sun, May 18, 2025, 10:27 William Herrin <bill@herrin.us> wrote:
I'm unclear what distinction you're drawing between "identify" and "authenticate." "I am who I say I am," is the sum total of authentication. Everything beyond that gets into authorization.
I'd argue against that. "You *know me* as FOO and here is proof" is authentication. Identity verification is only half of authentication ("here is proof"), the other half is a mapping of entity/identity from that ("you *know me* as").
Hi Brent, This isn't parsing for me. You're mapping what to what?
(And then *what that entity* has access to (and how, etc.) is authorization. I think we can all agree on that.)
"This identity may only be used for clients verifying servers," smells like authorization to me. The purpose of signing an encryption key (the thing letencrypt does) is to authenticate that the presented encryption key belongs to the claimed identity, in this case a DNS domain name. Not authorize it for a particular use. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/