[bawolff]

Google didn't force lets encrypt to totally get out of the client cert business, they just decided it wasn't worth the effort anymore.

[nickf]

Publicly-trusted client authentication does nothing. It's not a thing that should exist, or is needed.

[account42]

It does if the "client" in the TLS sense is really a public server in a federated network. Like for example in XMPP which you may have heard of.

[direwolf20]

Then you specify your protocol to accept server certs from clients

[ahmedtd]

I don't think this is true. It's something that could be useful, with some sort of ACME-like automated issuance, but should definitely be issued from a non-WebPKI certificate authority.

[everfrustrated]

Feel free to start your own non-profit to issue client certs signed by a public authority.

As LE says, most users of client certs are doing mtls and so self-signed is fine.

[account42]

"Most users" is a convenient excuse to ignore affected users.

[josephcsible]

> they just decided it wasn't worth the effort anymore

That seems disingenuous. Doesn't being in the client cert business now require a lot of extra effort that it didn't before, due entirely to Google's new rule?

[Avamander]

No, not really. Unless you consider basic accountability "extra effort".

[account42]

Basic accountability doesn't pay for the infrastructure required for a separate root.