Yes, and organization IT can even mark the private key associated with the client cert not exportable from that laptop.
I do have customers requiring client cert as one factor of authentication. Thanks, Kha Thach From: TLS <tls-boun...@ietf.org> On Behalf Of Rushil Mehra Sent: Wednesday, April 19, 2023 8:05 AM To: Soni L. <fakedme+...@gmail.com> Cc: tls@ietf.org Subject: Re: [TLS] [EXTERNAL] Re: Servers sending CA names Not necessarily. One could use client certificates to ensure that only authorized clients (e.g. a laptop with the client certificate in its key store) can access some resource. On Tue, Apr 18, 2023 at 5:07 PM Soni L. <fakedme+...@gmail.com <mailto:fakedme%2b...@gmail.com> > wrote: So like a "client" cert is just a way to say "yes I'm really example.org <http://example.org> " yeah? That seems particularly useful for federated networks (XMPP, etc). Why not call these server-to-server certs? On 4/18/23 20:45, Peter Gutmann wrote: > Richard Barnes <r...@ipv.sx <mailto:r...@ipv.sx> > writes: > > >Let's Encrypt issues roughly 3 million publicly trusted certificates per day > >that contain the client authentication EKU > > But they just set that by default for every cert they issue so it's pretty > much meaningless. There are public CAs that set keyAgreement for RSA certs, > and emailProtection for TLS server certs, doesn't mean any of them ever get > used for that. > > (My more snarky response would have been that I should have asked that the > IETF define a peaceOnEarth EKU so Let's Encrypt could set that as well :-). > > Peter. > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org <mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls