It’s not really the CAs driving this. It’s the Google Trusted Root Program. The CAs want their roots trusted by Chrome.
This article has a little more background on it. https://www.ssl.com/blogs/removal-of-the-client-authentication-eku-from-tls-server-certificates-what-you-need-to-know/amp/ On Thu, May 22, 2025 at 10:54 AM Eliot Lear via NANOG <[email protected]> wrote: > > On 22.05.2025 19:44, Tom Beecher via NANOG wrote: > >> While I /might/ want to do that I definitely don't > >> want it imposed on me from on high. > > > > It's **YOUR** certificate that **YOU** are creating. The EKU is NOT > > mandatory to have present. > > > > Who is "imposing" something on you? > > The CA. > > Eliot > > > > > > On Thu, May 22, 2025 at 12:29 PM William Herrin via NANOG < > > [email protected]> wrote: > > > >> On Tue, May 20, 2025 at 8:10 AM Jay Acuna via NANOG > >> <[email protected]> wrote: > >>> One of the things a user /might/ want to do is have multiple > >> Public/Secret > >>> keypairs, and compartmentalize your keys. > >> Hi Jay, > >> > >> I /might/ want to do that, but it's still a mishmash of authentication > >> and authorization,. While I /might/ want to do that I definitely don't > >> want it imposed on me from on high. The CA should be authenticating my > >> identity, not "helping" make authorization decisions. > >> > >> Regards, > >> Bill Herrin > >> > >> > >> -- > >> William Herrin > >> [email protected] > >> https://bill.herrin.us/ > >> _______________________________________________ > >> NANOG mailing list > >> > >> > https://lists.nanog.org/archives/list/[email protected]/message/ZCBG6UNGPY33PWNZUWWOQFO4ARHKBQHE/ > > _______________________________________________ > > NANOG mailing list > > > https://lists.nanog.org/archives/list/[email protected]/message/GNNNY3SZFGDG2LNEU3SN4URYKKWELDTJ/ > > > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/5WQYR4SVLNEJO7CF3PYYFKTXZXWZPW6Q/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/MTLFMRPTMAKTPP6OD2XKZ37OGTWUEBT5/
