I don't disagree that Google imposing the certain conditions on the CAs isn't great, but that's a separate conversation.
LetsEncrypt is no longer supporting one of the EKU options... that people have been complaining here for days shouldn't ever be used in the first place. /boggle On Thu, May 22, 2025 at 2:04 PM Jay Acuna <[email protected]> wrote: > On Thu, May 22, 2025 at 12:45 PM Tom Beecher via NANOG > <[email protected]> wrote: > > > want it imposed on me from on high. > > It's **YOUR** certificate that **YOU** are creating. The EKU is NOT > > mandatory to have present. > > > Who is "imposing" something on you? > > Your CA is imposing it clearly.. in this case LetsEncrypt. > > However, their reasoning ultimately is Google is mandating a new > standard by fiat, and unilaterally to limit the declared purposes for > your certificates. > > Although Google is one vendor and doesn't have IETF or any industry > standards body in agreement to make EKU a mandatory field. > Google holds a monopoly position which they can abuse to bypass > all standards bodies and hold your CA hostage should they not agree > to any new arbitrary standards or rules they come up with. > > If your CA doesn't agree to create and impose the extra restrictions > on you and how you can use your certificates with other software, > then Google will drop support for all LetsEncrypt certs from > their browser Chrome. > > -- > -JA > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/QWDOAL6G3GCF3WOGE7CUA4V7PYI4HIYN/
