> > Does the IETF have a Liason to the Chrome Root Program? > > + @David Benjamin and @David Adrian both participate in IETF.
Speaking for the Chrome Root Program [1], the policy does not introduce a blanket prohibition on all CAs from issuing TLS certificates containing both clientAuth and serverAuth EKUs. Rather, after March 15, 2027, the Chrome Root Store will, by default, only include anchors representing serverAuth-only hierarchies. This does not preclude CAs from: - Continuing to issue from hierarchies that may be trusted elsewhere - Issuing clientAuth certificates from a new hierarchy Nothing also stops non-Chrome clients from altering the content of their trust stores to trust CAs relevant to their use case. History has taught us that commingling PKI use cases causes more harm than good. It is a consistent security problem when PKI hierarchies intended for public web sites get entangled in non-web use cases. As an example, such behavior slowed the deprecation of SHA-1 in 2018 because payment card terminal implementations and their corresponding root stores could not be updated. The plan to move to serverAuth only was first communicated to CA Owners at a CABF meeting in 2021 [2]. It is designed to prevent more situations like the one above from happening in the future. [1]: https://googlechrome.github.io/chromerootprogram/#introduction [2]: https://drive.google.com/file/d/1pwhslUTqqkJci84nzyP4jUEmop4MeSVP/view On Mon, Mar 30, 2026 at 4:53 PM Mike Ounsworth <[email protected]> wrote: > > Does the IETF have a Liason to the Chrome Root Program? > > + @David Benjamin <[email protected]> and @David Adrian both > participate in IETF. > > On Mon, 30 Mar 2026 at 15:40, Nico Williams <[email protected]> wrote: > >> On Mon, Mar 30, 2026 at 08:04:54PM +0000, Salz, Rich wrote: >> > The overwhelming response (strong consensus) — both posted and via >> > private replies — is that applications will just switch to >> > TLS-Server-Auth identities for the client side. >> >> That violates RFCs 5280 & 8446 and vitiates the Chrome Root Program's >> new policy. Whatever problem that policy change meant to addres might >> only be made worse by this approach (sure, only for those apps that >> implement this workaround, but for those, yes, it will be worse). >> >> There has to be a better way. >> >> Does the IETF have a Liason to the Chrome Root Program? Can we reach >> out to them and ask them? When I did they simply did not respond, but >> if the IETF TLS and/or LAMPS WG chairs, or IETF Security ADs reach out >> to them perhaps they'll respond -- failing that then maybe the IETF >> Chair or the IAB. >> >> Nico >> -- >> >> _______________________________________________ >> Spasm mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
