| ▲ | nickf 2 days ago | |
mTLS is going to be a problem soon, arguably bigger than this lifetime reduction. Most server certs today have clientAuth EKU and can be used for mTLS. That stops next year. | ||
| ▲ | kbolino 5 hours ago | parent [-] | |
It took me awhile to dig up evidence for this, but the closest I can find is that subordinate CA certificates will no longer be allowed to have id-kp-clientAuth EKU [1], however this restriction does not apply to leaf certificates. [1]: https://googlechrome.github.io/chromerootprogram/#321-applic... | ||