Hi, On 19.05.2025 03:27, Tom Beecher via NANOG wrote:
5. Bob verifies certificate A cryptographically, but since it is only allowed to be used as Server Auth, not Client Auth, then*authentication* fails.
Authentication: are you are who you say you are? Authorization: Are you allowed to do something, or you're prohibited from doing something. The only reason anyone can claim this is authentication is because the first question is answered not simply by the cryptographic validation but the attestation of the signer, and the signer refuses to attest if a key is used for purposes other than those the signer permits. In other words, EKU is a horrible mishmash of authentication and authorization because the signer is prohibiting the principal from using the certificate for certain purposes. There are $REASONs for this, but I'd really like to hear them. Eliot