On 5/20/25 11:25 AM, Tom Beecher wrote:
Unless you're willing to say that whatever is doing the authz/policy is *offline* -- ie, can't look that policy up in real time -- this can all be done using normal online mechanisms. That is, "server, can is this identity allowed to do this or that?" in your example.
I'm not arguing that it doesn't work as stated. I'm arguing that they bring a tremendous amount of cert baggage -- business models, enrollment, revocation, etc, etc -- that is really hard to justify under any normal circumstance. Asymmetric keying unfortunately involves way too many people thinking that once they are involved, certs are necessary. It need not be, and in fact the vast majority of cases would greatly simplified to just get rid of certs entirely, even the basic name/identity binding they provide.
I don't entirely disagree with that perspective. Lots of merit to it.
I think most of my responses have been directed towards those who seem to be *disagreeing* with the 'this is how it works" bits.
Yeah, there were other parts of this thread that I didn't comment on that seemed wrong headed too (not you, iirc). Probably just as well :) Suffice it to say, I pretty much agree with Eliot's assessment of "mismash" re: authn/authz. Mike