nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: Jay Acuna via NANOG <nanog () lists nanog org>
Date: Thu, 22 May 2025 14:57:02 -0500
On Thu, May 22, 2025 at 1:28 PM Tom Beecher via NANOG
<nanog () lists nanog org> wrote:


So let me get this straight.
1. You have just spent multiple days arguing that EKU options in X.509
certificates is not something that should be used at all because (in your

..

2. LetsEncrypt is making a change to REMOVE one of the possible EKU

..

3. You interpret this as having something 'imposed' on you.


Yes.   To use  network routers as an analogy to what the CA is doing:

In network terms: 1  Your router vendor should not ship you internet routers
with an Access-list (EKU) imposed  upon your equipment's network interfaces'
traffic forwarding capabilities
without  your request and approval as the subject/owner of the machine
(Owner of the cert whose identity the CA exists to attest to).

2   LetsEncrypt originally issues you certificates you applied to
authenticate your
identity with no EKU, or a less-restrictive EKU.

In network terms: Your router vendor ships your equipment that has no default
access list imposed, so at least you can decide the policy locally,
Or at least  contains
     permit ip any any

3.  LetsEncrypt's change is to start enforcing that you can only get
certificates with
     an EKU and it must be a more restrictive EKU.

     You will only be allowed to forward packets compliant with that
more restrictive
     EKU,  and the EKU signals other parties to drop packets from you
which don't comply.

In network terms;
Your hardware vendor's change of policy is to start enforcing a new
access-list on all IP interfaces
     that says    "permit tcp any any"
                         deny any"

With no approval or option for the subject of the cert to remove or
revise the declared restriction.

There may be some protocols you are using which are no longer allowed such ICMP,
but your vendor does not think a significant number of people use ICMP
so they don't care
you would not be able to get routers approved by them to forward that
protocol anymore.

--
-JA
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/EZELNRSO7246LIEZHBD7WFFMMFEXYG5L/
Previous By Date Next
Previous By Thread Next

Current thread: