Yes, and organization IT can even mark the private key associated with the client cert not exportable from that laptop.
I do have customers requiring client cert as one factor of authentication. Thanks, Kha Thach From: TLS <[email protected]> On Behalf Of Rushil Mehra Sent: Wednesday, April 19, 2023 8:05 AM To: Soni L. <[email protected]> Cc: [email protected] Subject: Re: [TLS] [EXTERNAL] Re: Servers sending CA names Not necessarily. One could use client certificates to ensure that only authorized clients (e.g. a laptop with the client certificate in its key store) can access some resource. On Tue, Apr 18, 2023 at 5:07 PM Soni L. <[email protected] <mailto:fakedme%[email protected]> > wrote: So like a "client" cert is just a way to say "yes I'm really example.org <http://example.org> " yeah? That seems particularly useful for federated networks (XMPP, etc). Why not call these server-to-server certs? On 4/18/23 20:45, Peter Gutmann wrote: > Richard Barnes <[email protected] <mailto:[email protected]> > writes: > > >Let's Encrypt issues roughly 3 million publicly trusted certificates per day > >that contain the client authentication EKU > > But they just set that by default for every cert they issue so it's pretty > much meaningless. There are public CAs that set keyAgreement for RSA certs, > and emailProtection for TLS server certs, doesn't mean any of them ever get > used for that. > > (My more snarky response would have been that I should have asked that the > IETF define a peaceOnEarth EKU so Let's Encrypt could set that as well :-). > > Peter. > > _______________________________________________ > TLS mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list [email protected] <mailto:[email protected]> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
