On 5/23/25 10:08 AM, John R. Levine via NANOG wrote:
I'm having trouble coming up with plausible scenarios where the only
thing you know about a client is that some CA said their domain is OK.
You don't know that a client is ok.
What you do know is that a CA said that the entity with the certificate
and corresponding key is a stated identity; e.g. the subject.
Look at Kerberos, the KDC doesn't say anything other than the ticket
holder has proven their identity to the KDC, ostensibly with username &
password or something stronger.
The Kerberized server uses the ticket that the client provided it as
verification of identity from the common trusted source; the KDC.
None of Kerberos, usernames & passwords, TLS client certificates
actually say anything about the credentials not being compromised. They
state / demonstrate that the entity using said ticket, U&P, cert have
access to the necessary knowledge / data to validate as the claimed
identity.
Similar to how HTTPS only speaks to the connection to the server being
encrypted, and nothing about the safety of visiting the site.
--
Grant. . . .
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/S6FGSBRZ4LKDVQQVD3E3WN6OHKPK7BPH/
