Is there any clear documenation of what is going on here?
Yes. LE's announcement : https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ Chromium Root Program Participation Policies, v1.6, Sec2 : https://googlechrome.github.io/chromerootprogram/#2-chrome-root-program-part... To continue to be a Root CA in the Chrome Root Store, CA's must abide by the new requirements,which for this convo is : - focused only on the specific PKI use case of issuing TLS server authentication certificates to websites. Most things , especially in a browser, are going to be doing 'normal' ( 1-way ) TLS, meaning only the server identity is verified. It is also possible to implement mutual TLS (mTLS) which the client and server must both verify their identities. This is where TLS client authentication certs are used. Most people aren't doing mTLS for a variety of reasons, and if you are, you're not relying on a public CA to do it anyways. On Mon, May 19, 2025 at 6:49 AM Christian de Larrinaga via NANOG < nanog@lists.nanog.org> wrote:
brent saner via NANOG <nanog@lists.nanog.org> writes:
On Sat, May 17, 2025, 19:34 William Herrin via NANOG < nanog@lists.nanog.org> wrote:
Does seem like it might have an impact on SMTP...
SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU, which is what they're deprecating/removing. Certs are used on MTAs for *identity verification of the server* and *integrity validation/encryption*, not authentication.
It is strictly only used for *authenticating clients*, hence the name, in mTLS (or *client*-driven one-way TLS, which I don't think I've ever actually seen in the wild to my knowledge).
The only case this would matter is if you are using an MUA/sender/client *authenticating* to an MTA with a certificate. 99.999% of email is one-way server TLS, not mTLS. LE certs will continue to work fine for SMTP.
maybe this answers my questions. I am not sure.
Is there any clear documenation of what is going on here?
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HV65MB3D...
-- Christian de Larrinaga _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/F5UVFTDK...