|
|
|
|
|
|
by throw0101a
134 days ago
|
|
|
> Let's Encrypt could of course continue offering client certificates if they wanted to, but they'd need to set up a separate root for those certificates to chain up to, and they don't think there's enough demand for that to be worth it. Why an entire new root? Perhaps set up a ACME profile [1] where the requestor could ask for clientAuth if their use case would be helped; the default would be off. Google would be free to reject with-clientAuth HTTPS server certificates in their browser, but why should they care if a XMPP or SMTP server has a such a certificate if the browser never sees it? [1] https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/ |
|
|
> To qualify as a dedicated TLS server authentication PKI hierarchy under this policy:
> All corresponding unexpired and unrevoked subordinate CA certificates operated beneath an applicant root CA MUST:
> [...]
> when disclosed to the CCADB…
> [...]
> on or after June 15, 2025, include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.
> [...]
> NOT contain a public key corresponding to any other unexpired or unrevoked certificate that asserts different extendedKeyUsage values.
https://googlechrome.github.io/chromerootprogram/policy-arch...