It’s not really the CAs driving this. It’s the Google Trusted Root Program. The CAs want their roots trusted by Chrome. This article has a little more background on it. https://www.ssl.com/blogs/removal-of-the-client-authentication-eku-from-tls-... On Thu, May 22, 2025 at 10:54 AM Eliot Lear via NANOG <nanog@lists.nanog.org> wrote:
On 22.05.2025 19:44, Tom Beecher via NANOG wrote:
While I /might/ want to do that I definitely don't want it imposed on me from on high.
It's **YOUR** certificate that **YOU** are creating. The EKU is NOT mandatory to have present.
Who is "imposing" something on you?
The CA.
Eliot
On Thu, May 22, 2025 at 12:29 PM William Herrin via NANOG < nanog@lists.nanog.org> wrote:
On Tue, May 20, 2025 at 8:10 AM Jay Acuna via NANOG <nanog@lists.nanog.org> wrote:
One of the things a user /might/ want to do is have multiple Public/Secret keypairs, and compartmentalize your keys. Hi Jay,
I /might/ want to do that, but it's still a mishmash of authentication and authorization,. While I /might/ want to do that I definitely don't want it imposed on me from on high. The CA should be authenticating my identity, not "helping" make authorization decisions.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/ _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZCBG6UNG...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GNNNY3SZ...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5WQYR4SV...