nanog mailing list archives

Re: Massive change in Public Cert behaviour coming soon

From: Christian de Larrinaga via NANOG <nanog () lists nanog org>
Date: Mon, 19 May 2025 11:48:54 +0100

brent saner via NANOG <nanog () lists nanog org> writes:

On Sat, May 17, 2025, 19:34 William Herrin via NANOG <nanog () lists nanog org>
wrote:


Does seem like it might have an impact on SMTP...


SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU,
which is what they're deprecating/removing. Certs are used on MTAs for
*identity verification of the server* and *integrity
validation/encryption*, not authentication.

It is strictly only used for *authenticating clients*, hence the name, in
mTLS (or *client*-driven one-way TLS, which I don't think I've ever
actually seen in the wild to my knowledge).

The only case this would matter is if you are using an MUA/sender/client
*authenticating* to an MTA with a certificate. 99.999% of email is one-way
server TLS, not mTLS. LE certs will continue to work fine for SMTP.


maybe this answers my questions. I am not sure. 

Is there any clear documenation of what is going on here?

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HV65MB3DDIQG6U45PWYZWQL47TB27Y3D/


-- 
Christian de Larrinaga 
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/F5UVFTDK3N2PQZYOZYCD5SZH6SFOQZPM/

Current thread:

Re: Trivial change in Public Cert behaviour coming soon, (continued)
- - - Re: Trivial change in Public Cert behaviour coming soon John Levine via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon Chris Adams via NANOG (May 27)
    - Re: Trivial change in Public Cert behaviour coming soon Grant Taylor via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon brent saner via NANOG (May 27)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 27)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Massive change in Public Cert behaviour coming soon nanog--- via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon William Herrin via NANOG (May 27)
    - Re: Massive change in Public Cert behaviour coming soon Christian de Larrinaga via NANOG (May 19)
    - Re: Massive change in Public Cert behaviour coming soon Tom Beecher via NANOG (May 19)
    - Re: Massive change in Public Cert behaviour coming soon Jay Acuna via NANOG (May 19)
    - Re: Massive change in Public Cert behaviour coming soon John Levine via NANOG (May 19)