On Wed, Apr 01, 2026 at 06:31:07PM -0400, David Adrian wrote:
> > I assume that *GOOGLE* will stop using *WEB* server certificates for
> > it's SMTP. Or, that the GOOGLE Root program, will stop including
> > "GTS Root R1".
>
> Yes.
Given the rhetorical question poses two alternatives, that "yes" is
perhaps not sufficiently precise.
But, since it is not realistically possible to change the Google MX
hosts to use an EKU different from "serverAuth" (meaning "TLS server" in
practice, the "WWW" part was always just one of the possible contexts),
presumably that "yes" was about excluding "GTS Root R1" from the CRP?
I would be surprised if that happened, especially if the reason was to
limit "serverAuth" issuance by CA to just web servers, but life is
sometimes full of surprises...
It should be noted of course that ACME CAs (e.g. Let's Encrypt) have no
mechanism by which they can determine whether a "serverAuth" certificate
will or won't be used by just Web servers. So, if one decides to exclude
CAs based a finding that SMTP server are using a "serverAuth" certificate
from said CAs, all the WebPKI CAs would end up excluded.
At present, my up-to-date Chrome browser lists "GTS Root R1" as trusted:
chrome://certificate-manager/crscerts
...
GTS Root R1
D947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF
...
https://crt.sh/?q=D947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF
Issuer: (CA ID: 48269)
commonName = GTS Root R1
organizationName = Google Trust Services LLC
countryName = US
Validity
Not Before: Jun 22 00:00:00 2016 GMT
Not After : Jun 22 00:00:00 2036 GMT
Subject: (CA ID: 48269)
commonName = GTS Root R1
organizationName = Google Trust Services LLC
countryName = US
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
