Comment by aborsy

Comment by aborsy 10 months ago

0 replies

View on Hacker News

Yes, sorry the private is indeed used in mTLS.

Without that there is still authentication: clients who don’t presents a certificate signed by CA are refused. A weaker form of authentication is who ever presents a signed certificate connects, regardless of whether they hold the private key or not. In practice, these two are packed into a p12 certificate anyways, at least browsers.

Interesting that defense industry uses mTLS. It’s a pitty because the UX could be good: no need to route the entire traffic by a VPN. Simply have a certificate in the browser and the user will have access with no further action or setup.