Not urgent, no response needed.
Gershon, I'm just sending this as a datum for future OASIS tech platform diagnosis, in case you didn't see it.
Normally, of course, I wouldn't expect that this change will touch the kind of simple email other operations we do. (Or should do, anyway, congruent to Bret Jordan's point about keeping all of our IT very very simple.) It certainly could be the case that Google Chrome browser users may experience increasingly different issues from others, though.
---------- Forwarded message ---------
Google Chrome plans to remove any CA that issues certificates with clientauth extended key usage. All corresponding unexpired and unrevoked... -posted to the "OASIS Key Management Interoperability Protocol (KMIP) TC" community
| IETF TLS working group on clientauth in certificates | | | | | Google Chrome plans to remove any CA that issues certificates with clientauth extended key usage.
All corresponding unexpired and unrevoked subscriber (i.e., TLS server authentication) certificates issued on or after June 15, 2026 MUST include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.
Further links for the background of the above referenced policy change:
The implications are that Google will cause all the public CAs to remove any support for issuing certificates set for client authentication purposes and only custom private CAs will be able to be used in future.
I'm just raising this as a topic for potential TC discussion for those who are not across the current discussions on various lists.
Thanks, Tim
| | | Reply to Group via Email Reply to Sender via Email View Thread Recommend Forward |
| |