Hiya,
On 01/04/2026 01:00, David Adrian wrote:
Speaking for the Chrome Root Program [1], the policy does not introduce a blanket prohibition on all CAs from issuing TLS certificates containing both clientAuth and serverAuth EKUs. Rather, after March 15, 2027, the Chrome Root Store will, by default, only include anchors representing serverAuth-only hierarchies.
I'm only being curious here, so don't feel a need to answer, but I wonder, if you applied this policy today, can you say how many anchors would still be included and how many would be excluded? An equally good answer might say how many you predict would still be included vs. excluded in March 2027, though of course that'd require guessing what CAs will do in the meantime. Thanks, S.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
