Re: Massive change in Public Cert behaviour coming soon

[nanog--- via NANOG <nanog () lists nanog org>]

It's not obvious whether Google can afford to drop LetsEncrypt, the 
single most widely used CA, used on approx 2/3 of all websites, over a 
unilateral policy decision by Google. It would amount to Google blocking 
2/3 of the web in Chrome. Users would be forced to roll back the version 
or switch to different browsers.

However, it's obvious that Let's Encrypt isn't interested in taking that 
risk.


On 22/05/25 20:03, Jay Acuna via NANOG wrote:
> On Thu, May 22, 2025 at 12:45 PM Tom Beecher via NANOG
> <nanog () lists nanog org> wrote:
> > > want it imposed on me from on high.
> > It's **YOUR** certificate that **YOU** are creating.  The EKU is NOT
> > mandatory to have present.
> > Who is "imposing" something on you?
> Your CA is imposing it clearly.. in this case LetsEncrypt.
>
> However, their reasoning ultimately is Google is mandating a new
> standard by fiat, and unilaterally to limit the declared purposes for
> your certificates.
>
> Although Google is one vendor and doesn't have IETF or any industry
> standards body in agreement to make EKU a mandatory field.
> Google holds a monopoly position which they can abuse to bypass
> all standards bodies and hold your CA hostage should they not agree
> to any new arbitrary standards or rules they come up with.
>
> If your CA doesn't agree to create and impose the extra restrictions
> on you and how you can use your certificates with other software,
> then Google will drop support for all LetsEncrypt certs from
> their browser  Chrome.
>
> --
> -JA
> _______________________________________________
> NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZNVKSJHYPD6ZRJ6N5UTDNBQBNWB3A7QU/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/TR6N6WNHZ6JRWAFCMT7MJGMERZSEXIHO/