On Sun, May 18, 2025 at 6:28 PM Tom Beecher <beecher@beecher.cc> wrote:
"This identity may only be used for clients verifying servers," smells like authorization to me.
It's not. It's "This certificate can only be used to authenticate me if it is being used in the manner with which I specify."
Hi Tom, I'm pretty sure that is exactly wrong. You've mixed the authentication and authorization components. Identity is identity regardless of the use to which it is put. The certificate either authenticates its principal or it does not *before* considering any use to which that identity is put. Considering the use prior to establishing the veracity of the identity would be a pretty clear layer violation. You finish authentication first. *Then* you decide whether it's acceptable for the proposed transaction (authorization). You connect to me with SSH and enter "root" with the right password, you have authenticated yourself as root. I'm not gonna let you in because I've decided that root is not authorized to connect via ssh, but that has nothing to do with the authentication step. If you've figured out the password, you are verified to be root. See how that works? Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/