mirabilos<p>Remember the threads¹² about <a href="https://toot.mirbsd.org/tags/letsencrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LetsEncrypt</span></a> removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?</p><p>We were at first concerned about <a href="https://toot.mirbsd.org/tags/smtp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMTP</span></a>. While I had lived through this problem with <a href="https://toot.mirbsd.org/tags/startssl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StartSSL</span></a> by <a href="https://toot.mirbsd.org/tags/startcom" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StartCom</span></a> back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).</p><p>Well, turns out someone now reported that it <em>indeed</em> breaks <a href="https://toot.mirbsd.org/tags/xmpp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XMPP</span></a> entirely: <a href="https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66" rel="nofollow noopener" target="_blank">https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66</a></p><p>This means that <strong>it <em>will</em> soon no longer be possible <em>at all</em> to operate Jabber (XMPP) servers</strong> because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store <strong>will be <em>allowed</em> to</strong> issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.</p><p>So, yes, Google’s requirement change <em><strong>is</strong></em> after all breaking Jabber entirely. <em>Ein Schelm, wer Böses dabei denkt.</em></p><p>While <a href="https://nerdcert.eu/" rel="nofollow noopener" target="_blank">https://nerdcert.eu/</a> by <span class="h-card"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jwildeboer</span></a></span> would in theory help, it’s not existent yet, and there’s not just the question of <em>when</em> it will be included in operating systems’ root CA stores but <em>whether</em> it will be included in them at all.</p><p>Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.</p><p>① mine: <a href="https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8" rel="nofollow noopener" target="_blank">https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8</a><br>② jwildeboer’s: <a href="https://social.wildeboer.net/@jwildeboer/114516238307785904" rel="nofollow noopener" target="_blank">https://social.wildeboer.net/@jwildeboer/114516238307785904</a></p>