On Thu, May 22, 2025 at 11:27 AM Tom Beecher <beecher@beecher.cc> wrote:
Google and Letsencrypt, as discussed in the message which started this thread.
So let me get this straight.
Hi Tom, I wouldn't say you have it straight, but you have the basic facts. In my opinion, EKUs should not exist because they corrupt the authentication-authorization process by placing an authorization component in the authentication step. Since they do exist, despite my displeasure, letsencrypt was doing the right thing by including both compatible EKUs in the certificates they issue, making their existence moot. Per the press release, they will cease doing the right thing. Per the press release, they will cease doing the right thing because Google insisted and threatened to make their certificates stop working if they didn't. That is an imposition, and it's from Google who is about as "on high" as it gets without being an actual government. This imposition is possible because the base technology improperly mixed authentication and authorization components instead of keeping the boundary between the two clean. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/