mTLS is not Client Hostname Validation

When using TLS with certificates on the server-side, the client validates the hostname of the server against the subject alternate name or common name from the certificate presented by the server. However, when using mutual TLS, the certificate that the client presents does not necessarily contain the hostname of the client, so we are not (at least not in most use cases - we can always build software that requires specific fields in the client certificate and can perform this check in our software) validating the client hostname. The client certificate can contain anything - an email address or a username - and the only thing that matters is that it was issued by a trusted certificate authority for establishing the user’s identity. There’s nothing stopping the user from copying the certificate across to another device and using the same certificate from the new device.

For example, this can be the subject in a server certificate:

Country=AE,
State=Dubai,
Organization=Pocket Theories,
Common Name=www.pockettheories.com

Subject Alternate Name: DNS:www.pockettheories.com, DNS:pockettheories.com, IP:1.2.3.4

…and here’s an example of a client certificate:

Country=AE,
State=Dubai,
Organization=Pocket Theories Users,
Common Name=nita@pockettheories.com

Subject Alternate Name: EMAIL:nita@pockettheories.com