On Thu, May 22, 2025 at 1:28 PM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
So let me get this straight. 1. You have just spent multiple days arguing that EKU options in X.509 certificates is not something that should be used at all because (in your .. 2. LetsEncrypt is making a change to REMOVE one of the possible EKU .. 3. You interpret this as having something 'imposed' on you.
Yes. To use network routers as an analogy to what the CA is doing: In network terms: 1 Your router vendor should not ship you internet routers with an Access-list (EKU) imposed upon your equipment's network interfaces' traffic forwarding capabilities without your request and approval as the subject/owner of the machine (Owner of the cert whose identity the CA exists to attest to). 2 LetsEncrypt originally issues you certificates you applied to authenticate your identity with no EKU, or a less-restrictive EKU. In network terms: Your router vendor ships your equipment that has no default access list imposed, so at least you can decide the policy locally, Or at least contains permit ip any any 3. LetsEncrypt's change is to start enforcing that you can only get certificates with an EKU and it must be a more restrictive EKU. You will only be allowed to forward packets compliant with that more restrictive EKU, and the EKU signals other parties to drop packets from you which don't comply. In network terms; Your hardware vendor's change of policy is to start enforcing a new access-list on all IP interfaces that says "permit tcp any any" deny any" With no approval or option for the subject of the cert to remove or revise the declared restriction. There may be some protocols you are using which are no longer allowed such ICMP, but your vendor does not think a significant number of people use ICMP so they don't care you would not be able to get routers approved by them to forward that protocol anymore. -- -JA