> Google Chrome’s root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs
Can someone explain the reason for these changes? Personally I am a fan of clients not doing any form of authentication and I immediately think of something unconstructive like web integrity.
I think mTLS is great, but I wonder about the rationale for this change... If my front-end services are using a certificate to serve client requests, why shouldn't that same certificate also be used to authenticate them to backend services? Sure, a private CA seems like a reasonable thing to use here, but what makes PKI certs unreasonable for client authentication? Is it because we want to prevent client computer names from showing up in certificate transparency logs?
> Google Chrome’s root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs
Can someone explain the reason for these changes? Personally I am a fan of clients not doing any form of authentication and I immediately think of something unconstructive like web integrity.
Client authentication certificates are good for Mutual TLS (mTLS): https://en.m.wikipedia.org/wiki/Mutual_authentication
I think mTLS is great, but I wonder about the rationale for this change... If my front-end services are using a certificate to serve client requests, why shouldn't that same certificate also be used to authenticate them to backend services? Sure, a private CA seems like a reasonable thing to use here, but what makes PKI certs unreasonable for client authentication? Is it because we want to prevent client computer names from showing up in certificate transparency logs?