Re: Trivial change in Public Cert behaviour coming soon

[Grant Taylor via NANOG <nanog () lists nanog org>]

On 5/23/25 9:38 PM, John Levine via NANOG wrote:
> As someone else noted, in this utterly implausible scenario

I'll give you implausible or unlikely or rare.  Maybe even rare enough 
to be effectively nobody.

> (nobody uses domain certificates to authorize mail submission,

But I will not give you actual nobody.  I know multiple other people 
that use their server's TLS certificate from a public CA for mTLS to 
authorize submission.

Your statement that nobody uses domain certificates to authorize mail 
submission, as in zero people, is wrong.

The certificates in question are for the system's FQDN.

> and SMTP doesn't use client certs at all)

In order to avoid SMTP (server receiving email) vs submission (server 
relaying email) I'll say this:  I know of multiple MTAs that are using 
their cert for their FQDN to authenticate to other servers while 
relaying email.

The first / relaying server is using it's TLS certificate for mTLS with 
the next server in line.

> you would have your private CA sign the certs for your users.

You seem to be thinking / talking about people in front of keyboards / 
smart devices.

I'm talking about /servers/; NS1, NS2, and FS1, not people, using mTLS 
to authenticate to MTA1.

> You do know that you can have multiple signatures on the same cert, 
> don't you?

Yes, I'm well aware of that.

What I'm not aware of is how different signers have to do with extended 
key usage options.  --  My understanding is that the EKU options are 
requested in the CSR and approved EKU options are propagated to the 
signed cert.  But a single cert signed by multiple signers would still 
have the same EKU options.



--
Grant. . . .
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/MTRTU76A4SOWNR4RGWFZKVJB6HY4U7K3/