On Mon, May 19, 2025 at 5:36 AM Tom Beecher <beecher@beecher.cc> wrote:
I'll buy the argument that our happy fun certificates from letsencrypt intentionally include an authorization component if you care to make that argument.
You could state that the certificate says "Here are my identification credentials, but I only authorize you to accept them if they have been presented to you while doing FOO." This is semantically correct , it's just not common verbiage used to describe what is occurring
Hi Tom, I will buy that and confess to being pedantic about it.
"The authentication was complete when the identity was verified" is also verbiage that's clunky, and also not accurate. When PKI is used, authentication only is completed after a certificate is processed and passed as valid. ( RFC5280, Sec 6.1.3 - 6.1.5. ) In the example given, if the cert has a critical EKU of id-kp-serverAuth , and it's presented as clientAuth, the cert processing fails, therefore authentication did not succeed.
My point, the one where this pedantry started, was that this is yet another example of IETF layer violation: instead of a clean authentication step, they added authorization stuff in there, the "extended key usage" elements. Protocol layer violations usually cause trouble somewhere down the line as this one may be doing now. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/