[everfrustrated]

From https://letsencrypt.org/2025/05/14/ending-tls-client-authent...

"This change is prompted by changes to Google Chrome’s root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs. Many uses of client authentication are better served by a private certificate authority, and so Let’s Encrypt is discontinuing support for TLS Client Authentication ahead of this deadline."

TL;DR blame Google

[bawolff]

Google didn't force lets encrypt to totally get out of the client cert business, they just decided it wasn't worth the effort anymore.

[nickf]

Publicly-trusted client authentication does nothing. It's not a thing that should exist, or is needed.

[account42]

It does if the "client" in the TLS sense is really a public server in a federated network. Like for example in XMPP which you may have heard of.

[direwolf20]

Then you specify your protocol to accept server certs from clients

[ahmedtd]

I don't think this is true. It's something that could be useful, with some sort of ACME-like automated issuance, but should definitely be issued from a non-WebPKI certificate authority.

[everfrustrated]

Feel free to start your own non-profit to issue client certs signed by a public authority.

As LE says, most users of client certs are doing mtls and so self-signed is fine.

[account42]

"Most users" is a convenient excuse to ignore affected users.

[josephcsible]

> they just decided it wasn't worth the effort anymore

That seems disingenuous. Doesn't being in the client cert business now require a lot of extra effort that it didn't before, due entirely to Google's new rule?

[Avamander]

No, not really. Unless you consider basic accountability "extra effort".

[account42]

Basic accountability doesn't pay for the infrastructure required for a separate root.