nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Mon, 19 May 2025 07:54:07 -0400

Is there any clear documenation of what is going on here?



Yes.

LE's announcement :
https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/
Chromium Root Program Participation Policies, v1.6, Sec2 :
https://googlechrome.github.io/chromerootprogram/#2-chrome-root-program-participant-policies

To continue to be a Root CA in the Chrome Root Store, CA's must abide by
the new requirements,which for this convo is :

   - focused only on the specific PKI use case of issuing TLS server
   authentication certificates to websites.

Most things , especially in a browser, are going to be doing 'normal' (
1-way )  TLS, meaning only the server identity is verified.  It is also
possible to implement mutual TLS (mTLS) which the client and server must
both verify their identities. This is where TLS client authentication certs
are used. Most people aren't doing mTLS for a variety of reasons, and if
you are, you're not relying on a public CA to do it anyways.

On Mon, May 19, 2025 at 6:49 AM Christian de Larrinaga via NANOG <
nanog () lists nanog org> wrote:


brent saner via NANOG <nanog () lists nanog org> writes:


On Sat, May 17, 2025, 19:34 William Herrin via NANOG <

nanog () lists nanog org>

wrote:


Does seem like it might have an impact on SMTP...



SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU,
which is what they're deprecating/removing. Certs are used on MTAs for
*identity verification of the server* and *integrity
validation/encryption*, not authentication.

It is strictly only used for *authenticating clients*, hence the name, in
mTLS (or *client*-driven one-way TLS, which I don't think I've ever
actually seen in the wild to my knowledge).

The only case this would matter is if you are using an MUA/sender/client
*authenticating* to an MTA with a certificate. 99.999% of email is

one-way

server TLS, not mTLS. LE certs will continue to work fine for SMTP.



maybe this answers my questions. I am not sure.

Is there any clear documenation of what is going on here?





_______________________________________________
NANOG mailing list


https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HV65MB3DDIQG6U45PWYZWQL47TB27Y3D/

--
Christian de Larrinaga
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/F5UVFTDK3N2PQZYOZYCD5SZH6SFOQZPM/


_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/J6WRLXVU6DNLYDEC4MVUWFR5QV2UPE6Z/
Previous By Date Next
Previous By Thread Next

Current thread: