Hi Zaid, [no hat]
My thanks to you, Jim and Scott, for producing a document which succinctly outlines the problem, and the possible solutions to it. In a past life, I developed an EPP server implementation that allowed clients to register certificates (either CA-issued or self-signed) out-of-band, that could then be used to authenticate EPP connections. This approach is a sort of a hybrid between solutions 5.1.2 and 5.1.3, but doesn't fit either, and may be another solution that this document should consider. If I were building an EPP server now, I would definitely opt for 5.1.3, the TLSA solution, as it is general purpose, lightweight, and interoperable. In my current job, I have some experience with using TLSA records for client authentication for various front-end APIs, and it usually works very well. I note that the "dance" Working Group is almost finished working on a protocol for "TLS Client Authentication via DANE TLSA records". As I understand it, this differs slightly from how ICANN uses TLSA records for authentication, in that it describes a TLSA extension which the client uses to tell the server which FQDN to query to obtain the TLSA records that validate its certificate. Their work can be reviewed here: https://datatracker.ietf.org/wg/dance/documents/ I would support (and contribute to) an effort by this WG to develop a specification for EPP client authentication based on the dance WG's work. Thanks, Gavin. On Mon, 15 Dec 2025, at 18:12, AlBanna, Zaid wrote: > Hi Jim and group, > > I hope you are well. > > As it has been published, most major CAs have stopped including the > Client Authentication EKU in new SSL certificates in Q3/Q4 2025. After > the 01st of May 2026 no public certs can include ClientAuth EKU. These > changes could disrupt EPP session establishment. > > The draft in the subject field addresses this change and proposes > solutions to this problem. > > Please help review the options proposed and share thoughts on ways to > make the proposed solutions more robust. > > Thanks > Zaid > > On 12/8/25, 10:31 AM, "AlBanna, Zaid" <[email protected] > <mailto:[email protected]>> wrote: > > > Thanks Jim, > > > At this point I am asking for a review. > > > Regards > Zaid > > > On 12/8/25, 10:30 AM, "James Galvin" <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> wrote: > > > > > Caution: This email originated from outside the organization. Do not > click links or open attachments unless you recognize the sender and > know the content is safe. > > > > > Zaid, > > > > > Are you just asking for review or are you asking for review in > anticipation of asking for Working Group adoption? > > > > > Thanks, > > > > > Jim, Antoin, Jorge > REGEXT co-Chairs > > > > > > > > > On 2 Dec 2025, at 14:39, AlBanna, Zaid wrote: > > > > >> Hello, >> >> I hope all is well. >> >> I submitted the draft below. Kindly review and comment. Thanks in advance. >> >> Zaid >> >> On 12/2/25, 2:38 PM, "[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> " <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>>> wrote: >> >> >> Caution: This email originated from outside the organization. Do not click >> links or open attachments unless you recognize the sender and know the >> content is safe. >> >> >> Internet-Draft draft-albanna-regext-eku-mtls-in-epp-00.txt is now available. >> >> >> Title: Extended Key Usage and Mutual TLS in EPP >> Authors: Zaid AlBanna >> James Gould >> Scott Hollenbeck >> Name: draft-albanna-regext-eku-mtls-in-epp-00.txt >> Pages: 10 >> Dates: 2025-12-02 >> >> >> Abstract: >> >> >> This document describes the state of the Mutual Transport Layer >> Security (mTLS) client authentication mechanism in the Extensible >> Provisioning Protocol (EPP) with respect to a recent change in the >> client certificates published by some Certificate Authorities (CAs). >> The issue is described and options are presented to address the >> operational impact of the change. >> >> >> The IETF datatracker status page for this Internet-Draft is: >> https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> >> >> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F&gt;>> >> >> >> There is also an HTMLized version available at: >> https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00 >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> >> >> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00&gt;>> >> >> >> Internet-Drafts are also available by rsync at: >> rsync.ietf.org::internet-drafts >> >> >> >> >> _______________________________________________ >> I-D-Announce mailing list -- [email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> >> >> >> _______________________________________________ >> regext mailing list -- [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> _______________________________________________ regext mailing list -- [email protected] To unsubscribe send an email to [email protected]
