ClientAuth for Servers
95 views
Skip to first unread message
Antony Vennard
Oct 22, 2025, 6:27:20 AM (11 days ago) Oct 22
to server...@groups.cabforum.org
Good afternoon Forum,
As you are no doubt aware some root program operators have chosen to
only host TLS Server-specific hierarchies; as a consequence, multiple
CAs have chosen to cease issuing certificates containing the client-
authentication EKU.
Rightly or wrongly, many financial and other organisations rely on this
property for mutual TLS. id-kp-clientAuth remains a "MAY" in subscriber
certificate EKU according to the latest BRs for server certs.
I would therefore like to ask the following questions:
1) Is it the case in the view of the forum that "servercert" is
uniquely for the server authentication use case?
2) If so, should this be reflected in the BRs?
3) If so, does the forum envisage a role for client auth certificates
specifically for server to server authentication (either in this WG or
elsewhere), where the "client" is always a machine?
Kind regards,
Antony
(representing myself only, as an "interested party")
As you are no doubt aware some root program operators have chosen to
only host TLS Server-specific hierarchies; as a consequence, multiple
CAs have chosen to cease issuing certificates containing the client-
authentication EKU.
Rightly or wrongly, many financial and other organisations rely on this
property for mutual TLS. id-kp-clientAuth remains a "MAY" in subscriber
certificate EKU according to the latest BRs for server certs.
I would therefore like to ask the following questions:
1) Is it the case in the view of the forum that "servercert" is
uniquely for the server authentication use case?
2) If so, should this be reflected in the BRs?
3) If so, does the forum envisage a role for client auth certificates
specifically for server to server authentication (either in this WG or
elsewhere), where the "client" is always a machine?
Kind regards,
Antony
(representing myself only, as an "interested party")
Wayne Thayer
Oct 23, 2025, 12:24:00 AM (10 days ago) Oct 23
to server...@groups.cabforum.org
Hi Anthony,
i would refer you to the minutes from the last face-to-face meeting where this was discussed at length: https://cabforum.org/2025/06/11/minutes-of-the-f2f-65-meeting-in-toronto-canada-scwg-june-11-2025/#minutes-1
I think it's fair to conclude from that discussion that there is currently no consensus within the Forum on this topic, or more specifically on the answers to the questions that you have posed.
Thanks,
Wayne
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/3110e7e858e59fc19441348c82bbc0dc4da09ded.camel%40vennard.ch.
Reply all
Reply to author
Forward
0 new messages