On Wed, Apr 01, 2026 at 05:52:44PM -0500, Nico Williams wrote: > On Wed, Apr 01, 2026 at 10:05:31PM +0000, Andrei Popov wrote: > > Just to clarify: the net negative you're referring to is that an extra > > certificate hierarchy (for client-only certs) needs to be configured > > on certain deployed TLS clients? > > No, that would be ok. I'm talking about the disappearance of options > for getting clientAuth dNSName SAN certificates.
But also I'd like to understand what the danger is with just clientAuth dNSName SAN certificates that chain to WebPKI roots. I expect the danger of that for Web services is nill, so it's really the role- symmetric type of services (MTA, XMPP) that most benefitted from being able to get clientAuth dNSName SAN certificates that chain to WebPKI roots. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
