On 5/23/25 10:08 AM, John R. Levine via NANOG wrote:
I'm having trouble coming up with plausible scenarios where the only thing you know about a client is that some CA said their domain is OK.
You don't know that a client is ok. What you do know is that a CA said that the entity with the certificate and corresponding key is a stated identity; e.g. the subject. Look at Kerberos, the KDC doesn't say anything other than the ticket holder has proven their identity to the KDC, ostensibly with username & password or something stronger. The Kerberized server uses the ticket that the client provided it as verification of identity from the common trusted source; the KDC. None of Kerberos, usernames & passwords, TLS client certificates actually say anything about the credentials not being compromised. They state / demonstrate that the entity using said ticket, U&P, cert have access to the necessary knowledge / data to validate as the claimed identity. Similar to how HTTPS only speaks to the connection to the server being encrypted, and nothing about the safety of visiting the site. -- Grant. . . .