On 5/18/25 10:26 AM, William Herrin via NANOG wrote:
I'm unclear what distinction you're drawing between "identify" and "authenticate." "I am who I say I am," is the sum total of authentication. Everything beyond that gets into authorization.
+1
Which now that I think about it sounds a lot like there's a layer violation in giving TLS certificates a "for this purpose" tag at all. I knew there was a reason I didn't like it but I was having trouble putting my finger on it.
I don't think it's a layering violation. Mutual TLS authenticates each party to the other. Then each party is free to do whatever they want with that authenticated identity. The TLS itself has nothing to do with what what is done with the authenticated identity information. -- Grant. . . .