nanog mailing list archives
Re: Massive change in Public Cert behaviour coming soon
From: Christian de Larrinaga via NANOG <nanog () lists nanog org>
Date: Mon, 19 May 2025 11:44:28 +0100
Chris Adams via NANOG <nanog () lists nanog org> writes:
Once upon a time, William Herrin <bill () herrin us> said:On Sat, May 17, 2025 at 4:23 PM Colin Constable via NANOG <nanog () lists nanog org> wrote:Is anyone else worried about this? We use public certs for client auth in a number of cases. https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/Does seem like it might have an impact on SMTP...Who is using Let's Encrypt web server certs for SMTP client authentication?
I am quite extensively - I should note that several hosting scripts that deploy web/email/mysql etc services LAMP stacks etc use the tls cert provided to the domain hosted on a "server" also for smtp servers with a dotted line to mailman where that is also installed. Those certs aren these days almost always going to be Lets Encrypt DKIM, SPF, DMARC are already very fussy and can be fiddly as it is. I don't see the benefit in having separate certs for each application on a domain/zone beyond having yet another "vital" thing to be broken and so having to keep an eye on with all the hassle and cost that can imply. Also I am not entirely clear what the implications of this change means as it is not spelt out. Will we have to setup a private PKI for each smtp / domain instance once LE bows to the will of the great google thought policeman in its cloud? If so are there any tooling / scripts / I can add to keep continuity? e.g., acme equivalent to self generate a cert and will this be recognised as a valid cert rather than fall into the self signed ghetto that the web browser CA lists like to shove the rest of us into? It also begs a question. If running one's own certs authority pki for email, apps, messaging, tunnels and so on are so great why not great for my websites and web apps as well? -- Christian de Larrinaga _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HVVUICRKLNE5STGHAAJOGHSXJJQDLH4Z/
Current thread:
- Massive change in Public Cert behaviour coming soon Colin Constable via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon Chris Adams via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon Elmar K. Bins via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Christian de Larrinaga via NANOG (May 19)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 19)
- Re: Massive change in Public Cert behaviour coming soon Chris Adams via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 17)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 18)
- Re: Massive change in Public Cert behaviour coming soon Randy Bush via NANOG (May 18)