|
|
|
|
|
|
by q3k
2070 days ago
|
|
|
The server doesn't need to store the certificate, or even a mapping from certificate to identity. Just retrieving information encoded in the DN or SANs of a certificate presented by a client is enough to tie the connection originator/client to an identity. I mean, it's a design decision, whether you want to have a layer of indirection there - but keeping it without one allows TLS client certificates to be fully stateless, and be used across multiple backends that do not share any session/mapping store between them. In addition, if I'm being picky, TLS 1.3 changes how client certificates are used, and they are now not part of the initial handshake. |
|
|