Many protocols use mutual authentication within TLS. One such protocol is KMIP - Key Management Interoperability Protocol - see https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip In KMIP mutual authentication at the TLS level is mandatory.
I don't get the rationale for Google wanting to basically ban any CA that issues with an EKU for client authentication - but then the tendancy to be very web-centric and the poor handling of client authentication within browsers does lead to unfortunate decisions being made. It would also make logical sense I assume (from a Google perspective) to remove client authentication support entirely from the protocol. Redefining that certificates that operate as a client inside TLS client authentication to be packaged or presented as something other than what they are also seems like the wrong way to solve this issue to me. Calling a client a server for a specific context of usage does not seem like a "solution". Tim.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
