What's the advantage of using REMOTE_IDENT over TLS_CLIENT_HASH? I see the TLS_CLIENT_HASH is part of the other

Posted in: s/GmCapsule

🍀 gritty

2023-06-13 · 11 months ago

2 Comments ↓

🕹️ skyjake [mod...] · 2023-06-14 at 04:32:

With self-signed certificates, the only really meaningful part is the key pair. The second part of REMOTE_IDENT is the public key fingerprint that identifies the key pair that was used to sign the certificate.

This provides some flexibility for an application. A client is able to generate a new certificate using an old private key, and the server can detect that a known key pair has been used, and use that as an additional way to identify the user.

It should be noted that while certificates have an expiration date, key pairs do not. Should a private key be stolen, one would have to manually tell every server to consider the key pair revoked/invalid.

🍀 gritty [OP] · 2023-06-14 at 09:45:

@skyjake I didn't realize you could make a new cert with the same keypair. that is an interesting way to add extra verification for users vs just certs. good for longer term use it seems. thanks.