undefined | Better HN

0 pointsxg151mo ago0 comments

It seems reasonable for server-to-server auth though? Suppose my server xmpp.foo.com already trusts the other server xmpp.bar.com. Now I get some random incoming connection. How would I verify that this connection indeed originates from xmpp.bar.com? LE-assigned client certs sound like a good solution to that problem.

0 comments

bawolff1mo ago

> It seems reasonable for server-to-server auth though? Suppose my server xmpp.foo.com already trusts the other server xmpp.bar.com.

If you already trust xmpp.foo.com, then you probably shouldn't be using PKI, as PKI is a complex system to solve the problem where you don't have preexisting trust. (I suppose maybe PKI could be used to help with rolling over certs)

xg15OP1mo ago

No, the problem it was solving was "how do I verify that an incoming connection is actually from xmpp.foo.com and not from an impostor?"

You could also solve this with API keys or plain old authentication, but all of those require effort on xmpp.foo.com's side to specifically support your server.

Client certs seem better suited in that regard. A server can generate a trusted client cert once, and then everyone else can verify connections from that server without having to do any prior arrangements with it.

Avamander1mo ago

Which is almost exactly why WebPKI doesn't want to support such use-cases. Just this EKU change alone demonstrates how it can hinder WebPKI changes.

ge0rg1mo ago

Can you point out, at which point in time exactly, the public TLS PKI infrastructure has been reduced to WebPKI?

Avamander1mo ago

Can you point out at which point in time exactly it was designed to serve every use-case?

1 more reply

xg15OP1mo ago

Huh? The entire purpose of that EKU change was to disallow that usecase. How did that demonstrate problems for WebPKI?

Avamander1mo ago

This post here is the demonstration, that some non-WebPKI purpose is causing issues and complaints. This has happened before with SHA-1 deprecation. WebPKI does not want this burden and should not have this burden.

1 more reply

account421mo ago

Great circular reasoning there buddy.

j / k navigate · click thread line to collapse

0 comments

bawolff1mo ago

> It seems reasonable for server-to-server auth though? Suppose my server xmpp.foo.com already trusts the other server xmpp.bar.com.

xg15OP1mo ago

No, the problem it was solving was "how do I verify that an incoming connection is actually from xmpp.foo.com and not from an impostor?"

You could also solve this with API keys or plain old authentication, but all of those require effort on xmpp.foo.com's side to specifically support your server.

Avamander1mo ago

Which is almost exactly why WebPKI doesn't want to support such use-cases. Just this EKU change alone demonstrates how it can hinder WebPKI changes.

ge0rg1mo ago

Can you point out, at which point in time exactly, the public TLS PKI infrastructure has been reduced to WebPKI?

Avamander1mo ago

Can you point out at which point in time exactly it was designed to serve every use-case?

1 more reply

xg15OP1mo ago

Huh? The entire purpose of that EKU change was to disallow that usecase. How did that demonstrate problems for WebPKI?

Avamander1mo ago

1 more reply

account421mo ago

Great circular reasoning there buddy.

j / k navigate · click thread line to collapse