nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Thu, 22 May 2025 14:34:16 -0400
I don't disagree that Google imposing the certain conditions on the CAs
isn't great, but that's a separate conversation.

LetsEncrypt is no longer supporting one of the EKU options... that people
have been complaining here for days shouldn't ever be used in the first
place.

/boggle

On Thu, May 22, 2025 at 2:04 PM Jay Acuna <mysidia () gmail com> wrote:


On Thu, May 22, 2025 at 12:45 PM Tom Beecher via NANOG
<nanog () lists nanog org> wrote:

want it imposed on me from on high.

It's **YOUR** certificate that **YOU** are creating.  The EKU is NOT
mandatory to have present.



Who is "imposing" something on you?


Your CA is imposing it clearly.. in this case LetsEncrypt.

However, their reasoning ultimately is Google is mandating a new
standard by fiat, and unilaterally to limit the declared purposes for
your certificates.

Although Google is one vendor and doesn't have IETF or any industry
standards body in agreement to make EKU a mandatory field.
Google holds a monopoly position which they can abuse to bypass
all standards bodies and hold your CA hostage should they not agree
to any new arbitrary standards or rules they come up with.

If your CA doesn't agree to create and impose the extra restrictions
on you and how you can use your certificates with other software,
then Google will drop support for all LetsEncrypt certs from
their browser  Chrome.

--
-JA


_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QWDOAL6G3GCF3WOGE7CUA4V7PYI4HIYN/
Previous By Date Next
Previous By Thread Next

Current thread: