On Thu, May 22, 2025 at 1:28 PM Tom Beecher via NANOG
<[email protected]> wrote:
> So let me get this straight.
> 1. You have just spent multiple days arguing that EKU options in X.509
> certificates is not something that should be used at all because (in your
..
> 2. LetsEncrypt is making a change to REMOVE one of the possible EKU
..
> 3. You interpret this as having something 'imposed' on you.
Yes. To use network routers as an analogy to what the CA is doing:
In network terms: 1 Your router vendor should not ship you internet routers
with an Access-list (EKU) imposed upon your equipment's network interfaces'
traffic forwarding capabilities
without your request and approval as the subject/owner of the machine
(Owner of the cert whose identity the CA exists to attest to).
2 LetsEncrypt originally issues you certificates you applied to
authenticate your
identity with no EKU, or a less-restrictive EKU.
In network terms: Your router vendor ships your equipment that has no default
access list imposed, so at least you can decide the policy locally,
Or at least contains
permit ip any any
3. LetsEncrypt's change is to start enforcing that you can only get
certificates with
an EKU and it must be a more restrictive EKU.
You will only be allowed to forward packets compliant with that
more restrictive
EKU, and the EKU signals other parties to drop packets from you
which don't comply.
In network terms;
Your hardware vendor's change of policy is to start enforcing a new
access-list on all IP interfaces
that says "permit tcp any any"
deny any"
With no approval or option for the subject of the cert to remove or
revise the declared restriction.
There may be some protocols you are using which are no longer allowed such ICMP,
but your vendor does not think a significant number of people use ICMP
so they don't care
you would not be able to get routers approved by them to forward that
protocol anymore.
--
-JA
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/EZELNRSO7246LIEZHBD7WFFMMFEXYG5L/
