On Sun, May 18, 2025 at 7:04 PM brent saner via NANOG <nanog@lists.nanog.org> wrote:
Most wide-trust CAs don't even issue certs with id-kp-clientAuth set, I wasn't aware LE was even doing so until I found out about them removing it- because it's generally not useful for internet-facing resources unless you control the authority.
Yes. This. Most (almost all?) of the standard server certs from other certificate authorities have never included client auth EKU. All of those applications where someone got their certificate from another CA and it just works, will just work with the Let's Encrypt certs after the change. However, a few people have stated they use Let's Encrypt certificates for things that do use client authentication. Let's Encrypt is run by the Internet Security Research Group (ISRG), a non-profit organization. They want to support the community as best they can. If there is a significant community out there using their certificates in this manner, let them know. Bet yet, back it up with offers of sponsorship or direct assistance in providing the service.