On 5/20/25 10:33 AM, Tom Beecher wrote:
Nobody in their right mind would
want a login user to carry around a bundle of bits on their laptop of
what they are authorized to do
EKU is not 'This certificate defines what the user is allowed to do'.
It is "This certificate is valid to authenticate ONLY IF it is being
presented to you in a specific context."
Same difference: burying policy into an authentication token. What is
the point? A backend presented with an authenticated identity can do the
same thing far easier and far more scalable without any of the downsides
like mentioned. A backend server doesn't even need a name/key binding
borne by the client at all, let alone bearing policy info as well.
Mike
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2SNOLUHUOSTULZUE4MHUHBAXYSEGJUN6/
