On Mon, Mar 23, 2026 at 02:00:35PM -0400, Michael Richardson wrote: > Salz, Rich <[email protected]> wrote: > > Since WebPKI CA’s will not be able to issue TLS-Client certificates, > > what are the customers and CAs thinking of doing? > > You say this as if it's a new thing :-)
well, it's recent. It happened around October 2025. > Is it the "change" that certificates obtained for code signing or email use > will have the tls-kp-clientAuth EKU ommitted? The change is that roots in the Chrome Root Program may not sign intermediates that sign any EE certificates having any EKUs other than id-kp-serverAuth. A CA can still have roots outside the CRP that do sign intermediates that do sign non-server EE certificates, but probably few will. > > Replies to be will be summarized to both lists. Please be careful if > > you use reply-all. > > 1. This assumes the RP are checking EKU. Yes, but they should. > 2. I think 94% of usage of mTLS is via private PKI for the client side. Probably true. The two applications I know to be affected are XMPP and SMTP. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
