Without that there is still authentication: clients who don’t presents a certificate signed by CA are refused. A weaker form of authentication is who ever presents a signed certificate connects, regardless of whether they hold the private key or not. In practice, these two are packed into a p12 certificate anyways, at least browsers.
Interesting that defense industry uses mTLS. It’s a pitty because the UX could be good: no need to route the entire traffic by a VPN. Simply have a certificate in the browser and the user will have access with no further action or setup.
Without that there is still authentication: clients who don’t presents a certificate signed by CA are refused. A weaker form of authentication is who ever presents a signed certificate connects, regardless of whether they hold the private key or not. In practice, these two are packed into a p12 certificate anyways, at least browsers.
Interesting that defense industry uses mTLS. It’s a pitty because the UX could be good: no need to route the entire traffic by a VPN. Simply have a certificate in the browser and the user will have access with no further action or setup.