22 May
2025
22 May
'25
7:58 p.m.
It appears that Colin Constable via NANOG <nanog@lists.nanog.org> said:
We use EKU to provide mTLS between components owned and run by other entities, it is not truly authentication, as we have other methods to do that but it does "keep the lumps out".
If the entities know who each other are, why do you and they need a public CA?
2) Create a shadow CA infra for non browser use cases - Which results in fragmented CA (yuck!)
It is my impression that the normal way to manage client certs is for the organization that runs the servers to sign and distribute certs to the clients. This isn't new. R's, John