On Wed, Apr 01, 2026 at 10:05:31PM +0000, Andrei Popov wrote: > > Given that it's not, and that uses existed, and users have been > > negatively impacted by a policy that was never publicized in the > > right places and for which no public comment was allowed, the only > > fair question is the original. > > In Google's defense, it's a policy for their own TRP; I would not > expect public comment on corporate policy.
It's a policy that they impose by sheer market force on third parties. That brings in questions of antitrust laws and policy. > > Typically applications that support client certificates will have a > > list of client _names_ that are allowed to access the service, or > > some other form of authorization ultimately keyed by the client's > > authenticated name. Applications that do not support client > > certificates will simply ignore client certificates. > > Understood; the problem is that client names aren't scoped globally > like Web server names, so conflicts are possible, leading to client > impersonation. Have I not mentioned at least once that I'm specifically referring to dNSName SAN certificates? Those are "scoped globally like Web server names". > > What I am objecting to is the subsequent disappearance of a product > > from the market which was an indirect consequence of the policy > > change, and that disappearance is leading people to engage in > > workarounds that effectively defeat the policy change but in a way > > that is a net negative to the Internet. The policy change has > > simply backfired and needs revision. > > Just to clarify: the net negative you're referring to is that an extra > certificate hierarchy (for client-only certs) needs to be configured > on certain deployed TLS clients? No, that would be ok. I'm talking about the disappearance of options for getting clientAuth dNSName SAN certificates. Though someone just wrote me off-list that: | I know at least of GlobalSign Client Authentication Root R45 and | GlobalSign Client Authentication Root E45 (but have no experience with | them). | | https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates So perhaps not all CAs have exited that market. But this is just their root certificates; I've not yet found how to get a client certificate from them nor how much it costs. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
