Re: Massive change in Public Cert behaviour coming soon

[brent saner via NANOG <nanog () lists nanog org>]

On Sat, May 17, 2025, 19:34 William Herrin via NANOG <nanog () lists nanog org>
wrote:

> On Sat, May 17, 2025 at 4:23 PM Colin Constable via NANOG
> <nanog () lists nanog org> wrote:
> > Is anyone else worried about this? We use public certs for client auth
> in a
> > number of cases.
> >
> >  https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/
>
> Does seem like it might have an impact on SMTP...

SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU,
which is what they're deprecating/removing. Certs are used on MTAs for
*identity verification of the server* and *integrity
validation/encryption*, not authentication.

It is strictly only used for *authenticating clients*, hence the name, in
mTLS (or *client*-driven one-way TLS, which I don't think I've ever
actually seen in the wild to my knowledge).

The only case this would matter is if you are using an MUA/sender/client
*authenticating* to an MTA with a certificate. 99.999% of email is one-way
server TLS, not mTLS. LE certs will continue to work fine for SMTP.

>
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HV65MB3DDIQG6U45PWYZWQL47TB27Y3D/