> > Is there any clear documenation of what is going on here?
Yes. LE's announcement : https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/ Chromium Root Program Participation Policies, v1.6, Sec2 : https://googlechrome.github.io/chromerootprogram/#2-chrome-root-program-participant-policies To continue to be a Root CA in the Chrome Root Store, CA's must abide by the new requirements,which for this convo is : - focused only on the specific PKI use case of issuing TLS server authentication certificates to websites. Most things , especially in a browser, are going to be doing 'normal' ( 1-way ) TLS, meaning only the server identity is verified. It is also possible to implement mutual TLS (mTLS) which the client and server must both verify their identities. This is where TLS client authentication certs are used. Most people aren't doing mTLS for a variety of reasons, and if you are, you're not relying on a public CA to do it anyways. On Mon, May 19, 2025 at 6:49 AM Christian de Larrinaga via NANOG < [email protected]> wrote: > brent saner via NANOG <[email protected]> writes: > > > On Sat, May 17, 2025, 19:34 William Herrin via NANOG < > [email protected]> > > wrote: > >> > >> Does seem like it might have an impact on SMTP... > >> > > > > SMTPS/SMTP + STARTTLS for MTA <-> MTA does not use id-kp-clientAuth EKU, > > which is what they're deprecating/removing. Certs are used on MTAs for > > *identity verification of the server* and *integrity > > validation/encryption*, not authentication. > > > > It is strictly only used for *authenticating clients*, hence the name, in > > mTLS (or *client*-driven one-way TLS, which I don't think I've ever > > actually seen in the wild to my knowledge). > > > > The only case this would matter is if you are using an MUA/sender/client > > *authenticating* to an MTA with a certificate. 99.999% of email is > one-way > > server TLS, not mTLS. LE certs will continue to work fine for SMTP. > > > > maybe this answers my questions. I am not sure. > > Is there any clear documenation of what is going on here? > > > >> > > _______________________________________________ > > NANOG mailing list > > > https://lists.nanog.org/archives/list/[email protected]/message/HV65MB3DDIQG6U45PWYZWQL47TB27Y3D/ > > -- > Christian de Larrinaga > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/F5UVFTDK3N2PQZYOZYCD5SZH6SFOQZPM/ > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/J6WRLXVU6DNLYDEC4MVUWFR5QV2UPE6Z/
