> On Mar 24, 2026, at 03:50, Peter Gutmann > <[email protected]> wrote: > > Salz, Rich <[email protected]> writes: > >> Since WebPKI CA’s will not be able to issue TLS-Client certificates, what are >> the customers and CAs thinking of doing? > > Same as they've always done, which for the vast majority of all TLS users will > be not bother with client certs. For the rest, typically siloed deployments > using private-label CAs and/or ignoring eKU. > > And commenting on another part of the discussion about what is PKI: Non-web > PKI isn't really PKI as such, specifically the I part, but a ticket-clipping > service, you need to have a ticket visible on your dashboard that's been > clipped by one of the Approved Authorities in order to participate in the > system. Which may sound bad but actually isn't, it's a pretty effective > access control mechanism, and certainly vastly more so than the web PKI.
Yes. And what is the advantage of using X.509 certificates for that ticket-clipping service, over using bearer tokens as tickets a la Kerberos->SAML->OAuth? Is binding the ticket into the encrypted session with a client secret, worth “PKI"? Regards, -johnk > > Peter. > _______________________________________________ > Spasm mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
