nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: William Herrin via NANOG <nanog () lists nanog org>
Date: Thu, 22 May 2025 11:55:54 -0700
On Thu, May 22, 2025 at 11:27 AM Tom Beecher <beecher () beecher cc> wrote:

Google and Letsencrypt, as discussed in the message which started this thread.


So let me get this straight.


Hi Tom,

I wouldn't say you have it straight, but you have the basic facts.

In my opinion, EKUs should not exist because they corrupt the
authentication-authorization process by placing an authorization
component in the authentication step. Since they do exist, despite my
displeasure, letsencrypt was doing the right thing by including both
compatible EKUs in the certificates they issue, making their existence
moot. Per the press release, they will cease doing the right thing.
Per the press release, they will cease doing the right thing because
Google insisted and threatened to make their certificates stop working
if they didn't.

That is an imposition, and it's from Google who is about as "on high"
as it gets without being an actual government. This imposition is
possible because the base technology improperly mixed authentication
and authorization components instead of keeping the boundary between
the two clean.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HS6KDJ5O6R52U553ORFIEAWJR2HL2U72/
Previous By Date Next
Previous By Thread Next

Current thread: