On Wed, Mar 25, 2026 at 12:41:09AM -0700, Wei Chuang wrote: > On Tue, Mar 24, 2026 at 7:20 PM Viktor Dukhovni <[email protected]> > wrote: > > > Furthermore, it sounds like some of the CAs in the CABF are > > > thinking about a WG for Client Authentication. > > > > If possible, please keep us (or at least just me) apprised of any > > substantive changes that come out of these conversations. > > I'm not part of those conversations. Someone pointed out those discussions > to me, so I wanted to pass that along as I thought they would be relevant > and help inform the conversation here.
I left a comment on issue #604 with them last night. I don't expect engagement though. But you might have an easier time getting traction. On the other hand I expect the Chrome Root Program won't speak to you, probably for legal reasons. Like Viktor I'm curious what happens if you don't supply client certs when requested -- they are optional in TLS 1.3, and clients can refuse to present them even when requested. What breaks then? The other thing is that the CAs are NOT prohibited from having a client certificate product. Rather, they cannot do so below the roots that the browsers use. In principle the CAs can have parallel PKIs for client certificates, so you might be able to use those at the cost of having to have your peers re-configured to use new trust anchors for MTA client certificates. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
