[Servercert-wg] [cabfpub] Using OV TLS server certificate as TLS client certificates only

Kurt Roeckx kurt at roeckx.be
Thu Apr 29 20:58:37 UTC 2021

On Thu, Apr 29, 2021 at 07:48:59PM +0000, Ryan Sleevi via Servercert-wg wrote:
> Presently, the inclusion of id-kp-clientAuth is a MAY for server
> certificates, and so it's not outright a violation. While I do not claim to
> speak for the entire Forum, there have been multiple discussions in the
> Forum in the past about removing that allowance, such that server
> certificates *only* contain id-kp-serverAuth.
> The purpose of including clientAuth, for server to server authentication,
> is understandable as to why it might be desirable, but fundamentally
> introduces a different trust framework.

id-kp-clientAuth is defined as "TLS WWW client authentication",
but it's also being used for things that are not related to www.
It would be better that for server to server authentication, you
create a new EKU, and that it's specific to a certain use case.


More information about the Servercert-wg mailing list