Speaking as a participant: Without commenting on your specific choice of a solution, my preference is not to choose a solution.
In my opinion, choosing a solution is tantamount to changing EPP because right now EPP does not place any implementation requirements on certificates or their extensions. I would prefer that the working group seek adoption of the document and that we focus on making the key point that EPP servers can make their implementation requirements and here are a few categories of solutions. Of course, we should specifically note that since EPP does not make requirements it is important to track changing Certificate Authority policies and consider any impact that might have. Thanks, Jim On 16 Dec 2025, at 7:25, Gavin Brown wrote: > Hi Zaid, > > [no hat] > > My thanks to you, Jim and Scott, for producing a document which succinctly > outlines the problem, and the possible solutions to it. > > In a past life, I developed an EPP server implementation that allowed clients > to register certificates (either CA-issued or self-signed) out-of-band, that > could then be used to authenticate EPP connections. This approach is a sort > of a hybrid between solutions 5.1.2 and 5.1.3, but doesn't fit either, and > may be another solution that this document should consider. > > If I were building an EPP server now, I would definitely opt for 5.1.3, the > TLSA solution, as it is general purpose, lightweight, and interoperable. In > my current job, I have some experience with using TLSA records for client > authentication for various front-end APIs, and it usually works very well. > > I note that the "dance" Working Group is almost finished working on a > protocol for "TLS Client Authentication via DANE TLSA records". As I > understand it, this differs slightly from how ICANN uses TLSA records for > authentication, in that it describes a TLSA extension which the client uses > to tell the server which FQDN to query to obtain the TLSA records that > validate its certificate. Their work can be reviewed here: > > https://datatracker.ietf.org/wg/dance/documents/ > > I would support (and contribute to) an effort by this WG to develop a > specification for EPP client authentication based on the dance WG's work. > > Thanks, > > Gavin. > > On Mon, 15 Dec 2025, at 18:12, AlBanna, Zaid wrote: >> Hi Jim and group, >> >> I hope you are well. >> >> As it has been published, most major CAs have stopped including the >> Client Authentication EKU in new SSL certificates in Q3/Q4 2025. After >> the 01st of May 2026 no public certs can include ClientAuth EKU. These >> changes could disrupt EPP session establishment. >> >> The draft in the subject field addresses this change and proposes >> solutions to this problem. >> >> Please help review the options proposed and share thoughts on ways to >> make the proposed solutions more robust. >> >> Thanks >> Zaid >> >> On 12/8/25, 10:31 AM, "AlBanna, Zaid" <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> Thanks Jim, >> >> >> At this point I am asking for a review. >> >> >> Regards >> Zaid >> >> >> On 12/8/25, 10:30 AM, "James Galvin" <[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> wrote: >> >> >> >> >> Caution: This email originated from outside the organization. Do not >> click links or open attachments unless you recognize the sender and >> know the content is safe. >> >> >> >> >> Zaid, >> >> >> >> >> Are you just asking for review or are you asking for review in >> anticipation of asking for Working Group adoption? >> >> >> >> >> Thanks, >> >> >> >> >> Jim, Antoin, Jorge >> REGEXT co-Chairs >> >> >> >> >> >> >> >> >> On 2 Dec 2025, at 14:39, AlBanna, Zaid wrote: >> >> >> >> >>> Hello, >>> >>> I hope all is well. >>> >>> I submitted the draft below. Kindly review and comment. Thanks in advance. >>> >>> Zaid >>> >>> On 12/2/25, 2:38 PM, "[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>> " <[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>>> wrote: >>> >>> >>> Caution: This email originated from outside the organization. Do not click >>> links or open attachments unless you recognize the sender and know the >>> content is safe. >>> >>> >>> Internet-Draft draft-albanna-regext-eku-mtls-in-epp-00.txt is now available. >>> >>> >>> Title: Extended Key Usage and Mutual TLS in EPP >>> Authors: Zaid AlBanna >>> James Gould >>> Scott Hollenbeck >>> Name: draft-albanna-regext-eku-mtls-in-epp-00.txt >>> Pages: 10 >>> Dates: 2025-12-02 >>> >>> >>> Abstract: >>> >>> >>> This document describes the state of the Mutual Transport Layer >>> Security (mTLS) client authentication mechanism in the Extensible >>> Provisioning Protocol (EPP) with respect to a recent change in the >>> client certificates published by some Certificate Authorities (CAs). >>> The issue is described and options are presented to address the >>> operational impact of the change. >>> >>> >>> The IETF datatracker status page for this Internet-Draft is: >>> https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F> >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F>> >>> >>> <https://secure-web.cisco.com/1Fn_sSTgAN6EuQflfKpRjHFhw3wsTeC356PoUVEOpwaMY9oCq_eagfdAoUCHhJr_WkhlIONa_P9A9f8YNlSkk26keIBnPuHI6ITsU1Z7e-6ZZ7Uu-5UcOuXqHPntJC4Rk4_3jVRzOX1NPr2sUXK9lvTw_drYvwpGNNIC66Vp7VrwvIOLP67_Gp3KJZRql0Iy7tG_stcIXpZd6tJqlLV_dNgvWFWJVJHvCbY0-sCFZcUJm16RFmyNG6DHaRryO_Z6vQSVJ597OfG0PjiT9HNH4WRKsOLBAZoz3gAaiITx1ct8/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-albanna-regext-eku-mtls-in-epp%2F&gt;>> >>> >>> >>> There is also an HTMLized version available at: >>> https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00 >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00> >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00>> >>> >>> <https://secure-web.cisco.com/1hrVLgccmsfDoRVjEuc2vUUFcDLH5ZocmaNdNwovEFYadG96W1RfoE2pXpO_D66vcXfvw5mkcTt1OaGb6pIpLjIbbE68aJ7iMupC468jxBGBVPqYzcnKO1ZVs4nwGEXd2ftM3OwiqLh_BcnD5oymsLF6K1zlZtvluw5_aJZl_dSoDBoFK06pcfqwfR4Q2wfKfrXYsLBiRYI3tLPSpdBmYwsQ4Wmb9wPMQO7TzQ-gVtgosW8QXbxppcMXeT1KGBwxiSWih821eADy5ghFeVS_0_yhXQhkVqCXUubnP7iiSVAc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-albanna-regext-eku-mtls-in-epp-00&gt;>> >>> >>> >>> Internet-Drafts are also available by rsync at: >>> rsync.ietf.org::internet-drafts >>> >>> >>> >>> >>> _______________________________________________ >>> I-D-Announce mailing list -- [email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>> >>> To unsubscribe send an email to [email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>> >>> >>> >>> >>> _______________________________________________ >>> regext mailing list -- [email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> To unsubscribe send an email to [email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> _______________________________________________ regext mailing list -- [email protected] To unsubscribe send an email to [email protected]
