Path: news.eternal-september.org!eternal-september.org!feeder3.eternal-september.org!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: John Levine <johnl@taugh.com>
Newsgroups: comp.mail.sendmail
Subject: Client Auth certificates, threat or menace?
Date: Tue, 20 May 2025 16:35:01 -0000 (UTC)
Organization: Taughannock Networks
Message-ID: <100iavl$13mj$1@gal.iecc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 20 May 2025 16:35:01 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970";
	logging-data="36563"; mail-complaints-to="abuse@iecc.com"
Cleverness: some
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: johnl@iecc.com (John Levine)

Let's Encrypt issues the vast majority of signed TLS certificates these days.
They rececently said they will end the option to sign Client Authentication
certificates, and only do the more common Server Authentication.

By my understanding, the only place that a mail system uses Client
Authentication certs is that a submission client can present a cert
for SMTP AUTH rather than a username and a password. It's a niche
feature and the normal way to do it is for the mail system to set up
its own private CA and sign the users' certs, so it can just check
that it sees its signature.
encrypt.

This thread at Let's Encrypt claims that this will break sendmail because it
checks for the Client bit when it's sending mail.  That seems wrong but I
figure it wouldn't hurt to ask.

https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427

-- 
Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly