Hi Jim and group, I hope you are well.
As it has been published, most major CAs have stopped including the Client Authentication EKU in new SSL certificates in Q3/Q4 2025. After the 01st of May 2026 no public certs can include ClientAuth EKU. These changes could disrupt EPP session establishment. The draft in the subject field addresses this change and proposes solutions to this problem. Please help review the options proposed and share thoughts on ways to make the proposed solutions more robust. Thanks Zaid On 12/8/25, 10:31 AM, "AlBanna, Zaid" <[email protected] <mailto:[email protected]>> wrote: Thanks Jim, At this point I am asking for a review. Regards Zaid On 12/8/25, 10:30 AM, "James Galvin" <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> wrote: Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Zaid, Are you just asking for review or are you asking for review in anticipation of asking for Working Group adoption? Thanks, Jim, Antoin, Jorge REGEXT co-Chairs On 2 Dec 2025, at 14:39, AlBanna, Zaid wrote: > Hello, > > I hope all is well. > > I submitted the draft below. Kindly review and comment. Thanks in advance. > > Zaid > > On 12/2/25, 2:38 PM, "[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> " <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>> wrote: > > > Caution: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > > Internet-Draft draft-albanna-regext-eku-mtls-in-epp-00.txt is now available. > > > Title: Extended Key Usage and Mutual TLS in EPP > Authors: Zaid AlBanna > James Gould > Scott Hollenbeck > Name: draft-albanna-regext-eku-mtls-in-epp-00.txt > Pages: 10 > Dates: 2025-12-02 > > > Abstract: > > > This document describes the state of the Mutual Transport Layer > Security (mTLS) client authentication mechanism in the Extensible > Provisioning Protocol (EPP) with respect to a recent change in the > client certificates published by some Certificate Authorities (CAs). > The issue is described and options are presented to address the > operational impact of the change. > > > The IETF datatracker status page for this Internet-Draft is: > https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> > > <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F&gt;>> > > > There is also an HTMLized version available at: > https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00 > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> > > <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00&gt;>> > > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > > > _______________________________________________ > I-D-Announce mailing list -- [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> <mailto:[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> > > > > _______________________________________________ > regext mailing list -- [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> _______________________________________________ regext mailing list -- [email protected] To unsubscribe send an email to [email protected]
