Alan DeKok <[email protected]> writes: >I would suggest that any non-web CA standards need to be kept outside of the >CA/B forum.
I'm not sure if that's actually possible, the CA/B forum sets de facto standards for all public CAs because all of them sell to web PKI users. And then Google has a de facto veto power over anything through it's crowbar-into- the-gears ability to dictate to the CAs via its dominant market position, thus the clientAuth EKU mess. Do a web search on "clientuath eku" and you'll get nothing but statements by a who's-who of public CAs saying they're going to deprecate it because Google says so. For example, from the first hit: The Google Chrome Root Program requires Certificate Authorities (CAs) to stop including the Client Authentication extended key usage (EKU) in public TLS certificates. To align with this requirement and enhance digital trust, DigiCert will stop including the Client Authentication EKU in our public TLS certificates on March 1, 2027. Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
