I get why Chrome doesn't want it (it doesn't serve Chrome's interests), but that doesn't explain why Let's Encrypt had to remove it. The reason seems to be "you can't be a Chrome CA and not do exactly what Chrome wants, which is... only things Chrome wants to do". In other words, CAs have been entirely captured by Chrome. They're Chrome Authorities.
Am I the only person that thinks this is insane? All web security is now at the whims of Google?
One reason is that the client certificate with id-kp-clientAuth EKU and a dNSName SAN doesn't actually authenticate the client's FQDN. To do that you'd have to do something of a return routability check at the app layer where the server connects to the client by resolving its FQDN to check that it's the same client as on the other connection. I'm not sure how seriously to take that complaint, but it's something.
dextercd|1 month ago
unknown|1 month ago
[deleted]
0xbadcafebee|1 month ago
Am I the only person that thinks this is insane? All web security is now at the whims of Google?
cryptonector|1 month ago
singpolyma3|1 month ago
JackSlateur|1 month ago
mTLS is probably the only sane situation where private key infrastructure shall be used
greyface-|1 month ago