nanog mailing list archives

Re: Massive change in Public Cert behaviour coming soon

From: Crist Clark via NANOG <nanog () lists nanog org>
Date: Sun, 18 May 2025 21:25:48 -0700

On Sun, May 18, 2025 at 7:04 PM brent saner via NANOG <nanog () lists nanog org>
wrote:


Most wide-trust CAs don't even issue certs with id-kp-clientAuth set, I
wasn't aware LE was even doing so until I found out about them removing it-
because it's generally not useful for internet-facing resources unless you
control the authority.

Yes. This. Most (almost all?) of the standard server certs from other
certificate authorities have never included client auth EKU. All of those
applications where someone got their certificate from another CA and it
just works, will just work with the Let's Encrypt certs after the change.

However, a few people have stated they use Let's Encrypt certificates for
things that do use client authentication. Let's Encrypt is run by the
Internet Security Research Group (ISRG), a non-profit organization. They
want to support the community as best they can. If there is a significant
community out there using their certificates in this manner, let them know.
Bet yet, back it up with offers of sponsorship or direct assistance in
providing the service.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/E2TGYVWARS6WF7QSCOQBD6DUBYBGCPFC/

Current thread:

Re: MTA-STS, was Not So Massive change in Public Cert behaviour coming soon, (continued)
- - - Re: MTA-STS, was Not So Massive change in Public Cert behaviour coming soon John R. Levine via NANOG (May 19)
    - Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 19)
    - Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 19)
    - Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
    - Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Crist Clark via NANOG (May 27)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 27)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Colin Constable via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon John R. Levine via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Eliot Lear via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)

(Thread continues...)