On 17/05/2025 15:27, Jaroslaw Rafa wrote:
Dnia 17.05.2025 o godz. 14:23:35 Alessandro Vesely via mailop pisze:
After a glance at those sites, I still don't understand what's wrong if a
certificate could also be used for client authentication.
There is nothing wrong with using a client certificate for authentication
*as such*, but the server cert and client cert functions should be
separated.
Why?
Server cert, like the one obtained from Lets Encrypt, identifies a *server*,
not a particular user. Even if you specify a contact email address in the
cert request, that address is not verified (as far as I remember), and it is
also intended to be a generic administrative address under which the server
operator can be contacted, rather than an address identifying a particular
user.
Makes sense. However, I have multiple LE certificates for web and mail
servers, and none of them contain an email address. Both HTTPS and SMTP
allow a machine to act as either a server or a client in a given
session. If I were using client certificates, this change would force
me to double the number of certificates for no apparent reason.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
