New blog post: some lessons in community building (my career pivots, to Mastodon and the #Fediverse), in a recent chat with Michelle Goodall. #CommunityBuilding #Fediverse #100DaysToOffload
Court verdict against Yoon reminiscent of ‘communist’ North Korea: Kim Moon-soo | NK News
Conservative South Korean presidential candidate Kim Moon-soo on Thursday condemned the unanimous impeachment verdict against former President Yoon Suk-yeol as reminiscent of “communist” North Korea, a framing one expert described as “dangerous” rhet…shreyasreddy (NK News)
Falls Du der Nutzung Deiner Daten zum "Training" der künstlichen Intelligenz durch alle Meta - Anwendungen (#Facebook, #WhatsApp, #Instagram & Co) widersprechen magst:
Facebook - #Formular facebook.com/help/contact/6359…
Instagram - Formular
help.instagram.com/contact/233…
Mehr infos:
verbraucherzentrale.de/aktuell…
Das erforderliche aktive #Widersprechen (#OptOut) ist rechtswidrig:
"Metas Vorgehen verstößt aus unserer Sicht gegen europäisches Datenschutzrecht. Die Verbraucherzentrale NRW hat Meta deshalb erneut abgemahnt. Weil das Unternehmen an seinen Plänen festhält, hat die Verbraucherzentrale NRW eine einstweilige Verfügung beim Oberlandesgericht Köln beantragt. Wer widersprechen will, sollte das trotzdem machen!"
Warum ist das ein Problem?
"Sind diese Daten (alle Nachrichten, Fotos, Beiträge, Kommentare etc.) einmal für das KI-Training verwendet worden, lassen sie sich nicht mehr zurückholen oder löschen."
Es eilt:
Ab 27.05 werden Deine Daten von Meta genutzt, wenn bis dahin kein Widerspruch vorliegt ...
"Meta AI" bei Facebook, Instagram und WhatsApp – so widersprechen Sie | Verbraucherzentrale.de
Meta will in Europa öffentliche Nutzerinhalte fürs Training der KI "Meta AI" verwenden. Sie können der Nutzung Ihrer Daten widersprechen, den Chatbot mit dem blauen Kreis aber nicht abschalten.Verbraucherzentrale.de
Ciao Compagno Ali Rashid, non temere: non lasceremo sola la tua Palestina
Stefano Galieni* Se ne è andato un compagno di tante lotte condivise e resto, mi si scusi se parlo in prima persona, attonito, addolorato, indignato, incredRifondazione Comunista
The latest Clonezilla live 3.2.2-5 release brings a fresh Debian Sid base, a new kernel, Ezio tweaks, and bug fixes to improve disk imaging performance.
linuxiac.com/clonezilla-live-3…
#clonezilla #debian #opensource
Liberazione trans* e queer, corteo a Roma - DINAMOpress
Un importante appuntamento a sostegno delle lotte queer, storicamente marginalizzate, invisibilizzate e duramente attaccate dal regime di guerra reazionario al governo in sempre più paesiBenedetta (DINAMOpress)
Dear #Letsencrypt, you helped secure millions and millions of servers, not just web servers. But your announcement at letsencrypt.org/2025/05/14/end… about ending Ending TLS Client Authentication Certificate Support in 2026 because Google changes their requirements would result in your certificates becoming a possible risk for ensuring SMTP traffic. Please think again. Please.
1/5
Ending TLS Client Authentication Certificate Support in 2026
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action.letsencrypt.org
reshared this
globalist.it/politics/2025/05/…
L'appello di Globalist.
Noi non abbiamo la copertura mediatica di altri.
Per questo chiediamo a tutti di far circolare questo appello e condividerlo il più possibile.
Non possiamo restare inermi
Piazza del Popolo 2: per fermare la mano ai carnefici di Gaza
Piazza del Popolo 2. Per dire che l’Europa, l’Italia, non possono, non devono, essere complici del genocidio in atto a Gaza.globalist (Globalist.it)
reshared this
Angehörige von Geiseln fordern Netanjahu zu Kooperation mit Trump auf
Angehörige der von der Hamas verschleppten Geiseln haben die israelische Regierung zu gemeinsamen Anstrengungen mit den USA zur Freilassung der Opfer aufgerufen. Der israelische Präsident solle Bemühungen Trumps um eine Freilassung unterstützen, teilte das sogenannte Geisel-Forum mit, das sich für die Familien der Verschleppten einsetzt.
📑 tagesschau.de/newsticker/liveb…
🕚 16.05. 11:08 CEST
#Nahost #Israel #Gaza #tagesschau
Nahost-Liveblog: Geisel-Angehörige fordern Kooperation mit Trump
Der israelische Präsident Netanjahu solle Bemühungen Trumps zur Freilassung der Geiseln unterstützen, fordert das Geisel-Forum. Unterdessen wurden bei israelischen Angriffen im Gazastreifen mindestens 50 Menschen getötet.tagesschau.de
reshared this
With the Switch 2, Nintendo's Goal Is a Console for Every Member of the Family
https://www.bloomberg.com/news/articles/2025-05-16/with-the-switch-2-nintendo-s-goal-is-a-console-for-every-member-of-the-family?utm_source=flipboard&utm_medium=activitypub
Posted into Profiles @profiles-bloomberg
💥 Fontaine verte, PFAS & victoire juridique pour les activistes de Lyon
✨ Victoire au tribunal ! Suite au procès en appel (après une première relaxe en 2024), les huit activistes de Extinction Rebellion et Youth for Climate sont libéré·e·s de cette procédure judiciaire longue et éprouvante pour leur action chez Arkema 🏭
ℹ️ 6 des 8 militant·e·s sont totalement relaxé·e·s et 2 sont condamné·e·s à une amende de 300€ non inscrite au casier judiciaire 🧑⚖️
🎉 Nous considérons que justice a été rendue et que c'est une victoire 🎉
⛲ À l'occasion de cette décision de justice, la fontaine place des Jacobins de Lyon a été colorée en vert (avec un produit non polluant) pour mettre une nouvelle fois en lumière l’omniprésence des PFAS dans notre environnement, notamment dans l’eau que nous buvons tou·te·s 😱
ℹ️ generations-futures.fr/actuali… ℹ️
reshared this
✏️ Clicker - автокликер для Linux, который позволяет имитировать ввод кликов мыши и нажатия клавиш
©️ Бесплатная и с открытым исходным кодом программа
⬇️ Установка посредством: Flatpak пакета
👉 linuxmasterclub.ru/codelogisti…
#Linux #OpenSource #Программа #Software #Clicker
Clicker - автоматический кликер для Linux | LinuxMaster Club
Clicker - автокликер для Linux, который позволяет имитировать ввод кликов мыши и нажатия клавиш. Бесплатная и с открытым исходным кодом программаtroe (LinuxMaster Club)
Check out the Steam Playtest for SWAPMEAT, a co-op body-part swapping third-person shooter gamingonlinux.com/2025/05/chec…
#SWAPMEAT #IndieGame #Demo #PCGaming #SteamDeck #Linux
Check out the Steam Playtest for SWAPMEAT, a co-op body-part swapping third-person shooter
SWAPMEAT is an upcoming roguelite third-person shooter where you tear through alien worlds, harvesting body-parts to steal their powers.Liam Dawe (GamingOnLinux)
Il ghiacciaio Elephant Foot, situato sulla penisola di Kronprins Christian Land (Groenlandia nord-orientale) è un suggestivo ghiacciaio pedemontano che sfocia nel lago Romer.
Con un lobo terminale largo 5,4 chilometri, il ghiacciaio forma un caratteristico ventaglio circolare di ghiaccio che si espande da un'apertura centrale quasi a formare l'impronta di un elefante.
Credit: Copernicus Sentinel-2
👉 earthobservatory.nasa.gov/imag…
Elephant Foot Glacier
A piedmont-type glacier fans out across a plain in northeast Greenland.earthobservatory.nasa.gov
Poliversity - Università ricerca e giornalismo reshared this.
A Rebuild 2025 è stato avviato un percorso corale per la realizzazione di un manifesto strategico per la trasformazione sostenibile del Real Estate #bioedilizia #ediliziasostenibile #riqualificazioneedilizia #greenplanner
greenplanner.it/2025/05/14/reb…
A Rebuild 2025 nasce il manifesto del real estate
A Rebuild 2025 è stato avviato un percorso corale per la realizzazione di un manifesto strategico per la trasformazione del Real EstatePaolo Galli (Edizioni Green Planner)
An isolated, angry Fetterman becomes yet another problem for Democrats
https://www.washingtonpost.com/politics/2025/05/16/john-fetterman-senate-relationships/?utm_source=flipboard&utm_medium=activitypub
Posted into Politics @politics-WashPost
Randolfe acusa Bolsonaro de vetar transparência no INSS e favorecer entidades suspeitas
Por Cleber Lourenço Durante audiência no Senado nesta quinta-feira (15), o senador Randolfe Rodrigues (sem partido-AP) acusou o ex-presidente Jair Bolsonaro de ter contribuído para o avanço das fraudes no INSS ao vetar, ainda em 2019, um trecho da Medida Provisória 871 que previa maior transparência no uso de dados dos beneficiários. Segundo Randolfe, uma […]
Nel 2010, #AaronSwartz scaricò 70GB di articoli accademici da JSTOR. Risultato: 1 milione di multa e 35 anni di carcere. Nel 2013, si tolse la vita.
Nel 2024, #Meta ruba 80 terabyte di (#copyrigh ) libri da LibGen e Z-Library per addestrare la sua #AI. Risultato: zero conseguenze.
Attenzione a chi vuole tenerti ignorante. La conoscenza è un diritto, non un privilegio per pochi.
reshared this
Nella puntata di oggi del Mondo: remigrazione è nuova parola d’ordine dell’estrema destra. La condanna di Depardieu è una vittoria per tutte le donne. Con Leonardo Bianchi e Giulia Siviero. @blicero.bsky.social @giuliasiviero.bsky.social
Il Mondo
Il podcast quotidiano di Internazionale. Tutte le mattine alle 6. 00 con Claudio Rossi Marcelli e Giulia Zoli. Scegli una prospettiva più ampia sul mondo.Internazionale
reshared this
🚀 Due progetti Devol potenziati!
1️⃣ Hedgedoc.devol.it: Il miglior editor Markdown open source, ora su un nuovo server!
✅ Zero tracciamento e collaborazione in tempo reale
2️⃣ Collabora Online: La suite office integrata in Nextcloud (basata su LibreOffice) è diventata superveloce!
✅ Apri e modifica documenti (ODT, DOCX, ecc.) più rapidamente che sul tuo PC locale.
💻 Se non hai un account Nextcloud puoi richiederlo:
➡️ cloud.mastodon.uno/apps/forms/…
Fateci sapere se tutto funziona bene!
reshared this
Open Internet Italia - Servizi Web liberi reshared this.
A malapena un accordo: I ministri del commercio dell'UE criticano l'intesa commerciale tra Regno Unito e Stati Uniti
I ministri del commercio dell’UE hanno condannato l’accordo commerciale tra Stati Uniti e Regno Unito, avvertendo che Bruxelles non replicherà la decisione di Londra di accettare una tariffa di base del 10% per evitare altri prelievi su auto e metall…Thomas Moller-Nielsen (EURACTIV)
Asia Smells Dollar Danger in Trade Talks: 3-Minute MLIV
https://www.bloomberg.com/news/videos/2025-05-16/asia-smells-dollar-danger-in-trade-talks-3-minute-mliv-video?utm_source=flipboard&utm_medium=activitypub
Posted into Bloomberg Television @bloomberg-television-bloomberg
Oh Canada
Hugz & xXx
Front Burner: Canada has a measles problem
Episode webpage: cbc.ca/frontburner
Media file: mgln.ai/e/12/cbc.mc.tritondigi…
I think the debt collectors need to be sent to the USA
Hugz & xXx
usafacts.org/articles/which-co…
Which countries own the most US debt?
As of April 2024, foreign countries own approximately $7.9 trillion in Treasury securities — or 22.9% of total US debt.USAFacts
Freedom Flotilla Refuses Silence After Attack: ‘Madleen’ Will Sail for Gaza - Freedom Flotilla
MALTA | May 15, 2025 – In the face of state terrorism, media silence, and mounting global complicity, the Freedom Flotilla Coalition (FFC) today announces that its mission to break the illegal Israeli blockade of Gaza will move forward, undeterred.FFC Media team (Freedom Flotilla)
#SpeakingOutOfPlace | The #GazaTribunal: Creating an Archive Against Genocide
"We talk with Lara Elborno, Richard Falk, and Penny Green, three members of the #Gaza Tribunal, which is set to convene in Sarajevo in a few days."
speakingoutofplace.com/2025/05…
#Palestine #PalestineSolidarity #GazaGenocide #oPt @palestine @israel
Asahi Linux Highlights Recent Upstream Efforts In Linux 6.15, Other Ongoing Efforts
With the Linux 6.15 kernel soon to debut as stable, the Asahi Linux project issued a new blog post outlining some of the new code they managed to get upstream for this next mainline kernel version as well as some of their other efforts for enabling Linux on modern Apple Silicon hardware...
phoronix.com/news/Asahi-Linux-…
Asahi Linux Highlights Recent Upstream Efforts In Linux 6.15, Other Ongoing Efforts
With the Linux 6.15 kernel soon to debut as stable, the Asahi Linux project issued a new blog post outlining some of the new code they managed to get upstream for this next mainline kernel version as well as some of their other efforts for enabling L…www.phoronix.com
"While more of the Apple M1 and M2 support is getting squared away and being upstreamed, the Apple M3 and M4 support remains a big undertaking that is looking like it will still be quite a while before it's nicely supported under Linux."
Maybe in one decade M1 and M2 devices will be properly supported.
Nahost-Liveblog: Geisel-Angehörige fordern Kooperation mit Trump
Der israelische Präsident Netanjahu solle Bemühungen Trumps zur Freilassung der Geiseln unterstützen, fordert das Geisel-Forum. Unterdessen wurden bei israelischen Angriffen im Gazastreifen mindestens 50 Menschen getötet.
≪ Schönheit am Wegesrand ≫
#photography #fotografie #foto #photo #postprocessed #myphoto #mywork #ownwork #nature #natur #umwelt
Could the euro replace the dollar as global reserve currency? It’s not getting any less likely
Currencies are built on trust, and US policy is quickly eroding the dollar’s image as a safe haven.The Conversation
Morning, this side of the window
1/2
#FensterFreitag #windowfriday #morning #sunrise #sky #photography
Oblomov reshared this.
Trump prend des sanctions contre la CPI (Cour Pénale Internationale) en gelant des comptes bancaires et en bloquant les comptes mails. Avec la collaboration de Microsoft.
Notez bien ce qui vient de se passer : Une organisation qui n'est pas de droit américain, non située sur le sol des USA, vient de voir ses services en ligne bloqués parce qu'ils déplaisent au gouvernement américain.
abcnews.go.com/International/w…
(merci à @zgou)
Trump's sanctions on ICC prosecutor have halted tribunal's work
Nearly three months ago, U.S. President Donald Trump slapped sanctions on the International Criminal Court's chief prosecutor, Karim KhanMOLLY QUELL Associated Press (ABC News)
reshared this
@SebastienLugan
gros gros GROS soucis.
Les universités, les centres de recherche, l'armée, l'éducation nationale, les hôpitaux...
Je prédis que :
- ça va péter ailleurs (coupure majeur de services dans un état que POTUS n'aime pas)
- qu'on aura vent, dans quelques années, de données françaises (entreprises/état) qui auront été accédées par le gouvernement USA via les GAFAM.
et ça sera trop tard, bien sûr.
(PS: GitHub a déjà été coupé dans certains pays.)
education nationale les messageries sont hébergées en interne en cours de changement vers une infra interne zimbra
les cloud (nextcloud) idem
avec collaboraonline
les universités pour une bonne part sont sur partage de renater (zimbra), mais certaines sont sur gmail…
idem elles sont du nextcloud aussi
Hay que hacer frente a los Estados Unidos de Trump
Europa debe dar una respuesta contundente a la guerra comercial, buscar la soberanía estratégica en defensa y alta tecnología, acercarse a países afines y al sur globalJosep Borrell (Ediciones EL PAÍS S.L.)
Poland presidential election 2025: From migration to EU, what’s at stake?
https://www.aljazeera.com/news/2025/5/16/poland-presidential-election-2025-from-migration-to-eu-whats-at-stake?utm_source=flipboard&utm_medium=activitypub
Posted into Europe News @europe-news-AlJazeera
Poland presidential election 2025: From migration to EU, what’s at stake?
The two main contenders may disagree on the EU, but they have both embraced anti-migrant sentiment.Agnieszka Pikulicka-Wilczewska (Al Jazeera)
Earth from Space: Svalbard Archipelago
#news #space #science #esa #europeanspaceagency
posted by pod_feeder_v2
#Eurovision : hypocrisy by #Zionists, and the organisers, and of course the #EU as a whole, as the #Zionist entry sings about "hope" while in #Gaza the #genocide and massacre of civilians continues.
The only hope that exists is a #Palestinian state.
North Korean ship appears to pose as Russian oligarch’s yacht to hide voyage | NK PRO
A North Korean vessel appears to have stolen the identity of a superyacht owned by Russian oligarch Roman Abramovich while sailing to a Chinese port, in what one expert described as a possible attempt to conceal illicit activity.NK PRO
5 Quaderni della Campagna “Chiama l’Africa”
Piccoli quaderni con argomenti diversi.
Il blogverso italiano di Wordpress reshared this.
Twelve more suspects were charged in a RICO conspiracy for their alleged involvement in the theft of over $230 million in cryptocurrency and laundering the funds using crypto exchanges and mixing services.
iOS v16.4 以降では、ホーム画面に追加したウエブページ(いわゆる PWA)がプッシュ通知を送れるそうだけど、Mastodon PWA も対応してるのかしら。私の iPhone は v15.8.4 から進めないので試せない。Android での挙動も知らない。
誰か知ってたら教えてね。
BBC: Kids exposed to social media posts about violence and suicide. “A BBC investigation has found young teenagers are being exposed to content about weapons, bullying, murder and suicide soon after joining social media platforms. The project, which saw six fictional profiles set up as 13-15-year-olds, found they were shown the ‘worrying’ posts within just minutes of scrolling on TikTok and […]
🌱Es ist Freitag. Klimafreitag.
Einer der effizientesten Wege, wie du klimafreundlicher leben kannst, ist, dich pflanzenbasiert zu ernähren. Aber wie fängst du damit an?
Wie wäre es, wenn du dich einfach mal durch die vegane Küche durchprobierst? Wahrscheinlich stellst du fest, dass es deutlich leckerer und abwechslungsreicher schmeckt, als du es dir vorgestellt hast.
Den Start kannst du dir leicht machen, indem du einfach mal schaust, was es heute in deiner Mensa oder Kantine gibt. Vielleicht eine vegane Wurst zur Linsensuppe oder asiatisches Wokgemüse?
Die Chancen stehen gut, dass du direkt heute ein veganes Essen probieren kannst. Denn in immer mehr Mensen und Kantinen gibt es täglich vegane Optionen. Und die schmecken meist richtig gut! 😋 Manchmal sind sie sogar günstiger als mit Fleisch; gesund und klimafreundlich sowieso.
📍Du arbeitest im Homeoffice oder hast gar keine Kantine im Betrieb?
Dann schau dich mal um, welche Uni-Mensen oder öffentlichen Kantinen Gäste willkommen heißen – bestimmt gibt es auch welche in deiner Stadt.
👉 Mehr Ideen gibt es in unserem neuen Artikel: „Heute mal vegan essen in Mensa oder Kantine“: my-friday.org/klimaschritte/he…
Was hast du schon Veganes in der #Mensa oder #Kantine probiert? Und war es lecker oder ist noch Luft nach oben? Erzähl uns gerne davon!
#myfriday #klimafreitag #klimaschritte #klimafreundlicheernährung #plantbased #pflanzenbasiert #pflanzenbetont #klimakrise
Heute mal vegan essen in Mensa oder Kantine • My Friday
Fast alle Mensen und Kantinen bieten heute vegane Gerichte an – viele sogar täglich. So kannst du ganz einfach veganes Essen ausprobieren. Und dich davon überzeugen, wie gut es schmeckt und dass es auch satt macht.Gabi (My Friday)
CWG Live updates: Very warm with potential for strong storms today and tomorrow
https://www.washingtonpost.com/weather/2025/05/16/dc-weather-live-updates-hot-thunderstorms/?utm_source=flipboard&utm_medium=activitypub
Posted into Local @local-WashPost
Spanish Monastery grounds
Miami
Photo of the Day
from my daily photo blog
#landscapes #photography #landscapephotography #Miami
Middle East crisis live: ‘a lot of people are starving’ in Gaza, says Trump, as Israeli strikes kill dozens
Widespread attacks across northern Gaza with survivors warning that people are trapped under the rubbleAmy Sedghi (The Guardian)
Gatti conducts Brahms and Bruckner's Ninth in Rome - Schedule // - www.worldconcerthall.com
The Accademia Nazionale di Santa Cecilia Choir and Orchestra conducted by Daniele Gatti perform: BRAHMS: Gesang der Parzen op. 89/ Schicksalslied op. 54. BRUCKNER: Symphony No. 9 in D minor. Live....www.worldconcerthall.com
Spanish Monastery grounds
Miami
Photo of the Day
from my daily photo blog
like this
Sensitive content
Sensitive content
Sensitive content
"findings indicate even mild #COVID19 can result in persistent neurocognitive deficits,structural brain alterations, & functional network abnormalities,both in individuals with & without brain fog"
sciencedirect.com/science/arti…
Screenshot from Science for ME update
@longcovid
#LongCovid #PASC #PwLC #postcovid #postcovid19 #PostCovidSyndrome #longhaulers #COVIDBrain #NeuroPASC
@covid19 #Coronavirus
#COVID #COVID_19 #COVIDー19 #SARSCoV2 @novid@chirp.social #novid @novid@a.gup.pe #CovidIsNotOver
@auscovid19 #auscovid19
The UK is in talks with other countries to set up overseas “return hubs” for asylum seekers who have exhausted the legal process, Prime Minister Sir Keir Starmer has said on his first official visit to Albania. Green Party co-leader Carla Denyer MP told the Huffington Post:
Mere months after rightly denouncing the last government’s failed Rwanda scheme as a gimmick and a waste of taxpayer money, Starmer is now looking for his own knock off version. Instead of wasting more taxpayer money trying to look tough, it’s time Starmer got a grip of the real driving force behind smuggling gangs: the fact that for most people who might need and be eligible to seek asylum in the UK, there is simply no safe and managed way to do so.
huffingtonpost.co.uk/entry/kei…
Keir Starmer's Latest Immigration Plan Is Reminding People Of 1 Failed Tory Policy
The prime minister has been accused of coming up with a "knock off" version of the last government's notorious Rwanda scheme.Kevin Schofield (HuffPost UK)
Schon lange kursieren Gerüchte über die baldige Veröffentlichung neuer AirPods Pro. Ein kürzlich aufgetretener Leak scheint nun ihren baldigen Marktstart zu bestätigen. Die lange erwarteten AirPods Pro 3 könnten tatsächlich schon in naher Zukun
apfeltalk.de/magazin/news/appl…
#News #Zubehr #AirPodsAngebote #AirPodsPro3 #Apple #Elektronik #Leaks #Produktstart #Software #TechNews #Technologie #Zubehr
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Just at the time where all over the world discussions are happening to move mail servers back into organisations big and small instead of relying on the big email providers, due to risks associated with centralising email at (US) providers, you are willing to make life even more complicated for us postmasters. This is not what you should be doing. You should make it easier to use encryption instead of telling us postmasters find out ourselves where we can buy certificates in future.
2/5
reshared this
Oblomov reshared this.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Sure, #LetsEncrypt, you can say that using certificate based client auth is a minor use case and that this functionality was never guaranteed to always be available and all of that. But the fact stays: you are removing a feature from your certificates that has been here for a very long time, just because Google demands this. Why Google wants this? I will ask them. But I am quite sure that this #oopsie side effect is not an oversight.
3/5
Oblomov reshared this.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •The policy change at Google is documented here: googlechrome.github.io/chromer…
- prior to June 15, 2026, include the extendedKeyUsage extension and (1) only assert an extendedKeyUsage purpose of id-kp-serverAuth OR (2) only assert extendedKeyUsage purposes of id-kp-serverAuth and id-kp-clientAuth.
- on or after June 15, 2026, include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.
The document doesn't explain why dropping clientAuth is now required
4/5
Chrome Root Program Policy, Version 1.6
googlechrome.github.ioOblomov reshared this.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •This means that you would have to run separate CAs/PKIs (Certificate Authority/Public Key Infrastructure) for certs that Google accepts to trust (with only ServerAuth allowed) and one for certs with other EKU (Extended Key Usage) features (like ClientAuth). For server admins that results in two different certificates per server/domain name where right now you have it "all in one".
5/5
Oblomov reshared this.
Jan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Addendum: This will have impact on many solutions that use mTLS (Mutual TLS).
"Could my mTLS or cloud-API use cases be affected?
Yes. Any system using public TLS certificates for mutual TLS or machine-to-machine calls—rather than separate ServerAuth and ClientAuth certificates—will break once Chrome distrusts mixed-use intermediates. Financial institutions and service-mesh deployments are the most common examples."
digicert.com/blog/how-the-clie…
How the ClientAuth Crackdown Is Pushing Finance Toward X9 PKI
DigiCertJan Wildeboer 😷
in reply to Jan Wildeboer 😷 • • •Addendum 2: Google wants TLS certificates to ONLY have the ServerAuth EKU. Any other EKU [1] in a certificate automatically means the certificate is NOT trusted by Chrome from mid next year.
What other EKUs exist and do you think it makes sense to exclude them all? IMHO this is a radical approach to TLS. But it seems to be the accepted position. No more certs with any EKU but ServerAuth.
[1] docs.openssl.org/3.4/man5/x509…
x509v3_config - OpenSSL Documentation
docs.openssl.orgOblomov reshared this.
IchEben
in reply to Jan Wildeboer 😷 • • •i don't know / don't understand, why they stop issuing this certificates completely. as far as i understand it would be possible to add a profile to get certs with e.g. client-auth eku but without server-auth eku...
Would be more hassle as you could not use the same cert anymore but at least there would be a solution without fiddling with my own private pki ...
Phil Ashby 🍵
in reply to IchEben • • •@IchEben IMO this would be a reasonable position for LetsEncrypt, have two PKI hierarchies: one for server auth (prb 99% of their use cases), one for client auth (1%) to separate the root certs, and keeping the client auth root out of Googles hair.
[Edit] this allows other cert distributions for servers (eg debian ca-certificates package) to continue to support client auth out of the box too.
Jan Wildeboer 😷
in reply to Phil Ashby 🍵 • • •Daniel Fisher(lennybacon)
in reply to Jan Wildeboer 😷 • • •Jan Wildeboer 😷
in reply to Daniel Fisher(lennybacon) • • •@lennybacon Not according to Letsencrypt:
"May 13, 2026: the tlsclient ACME profile will no longer be available and no further certificates with the Client Authentication EKU will be issued."
and
"After this change is complete, only TLS Server Authentication will be available from Let’s Encrypt."
letsencrypt.org/2025/05/14/end…
@phlash @IchEben
Ending TLS Client Authentication Certificate Support in 2026
letsencrypt.orgDaniel Fisher(lennybacon)
in reply to Jan Wildeboer 😷 • • •Daniel Fisher(lennybacon)
in reply to Daniel Fisher(lennybacon) • • •Welcome to CAcert.org
www.cacert.orgLars Marowsky-Brée 😷
in reply to Jan Wildeboer 😷 • • •I'm a bit confused. Client certs rely on the server/issuer having the private key, no? And I'd not want that key to be in the hands of a third party?
I've always generated those myself, unlike the ones I need for public SSL/TLS.
Those don't need to be bought but maybe the mail servers in question need a better admin UX for managing them as part of the user management?
Andi Barth
in reply to Lars Marowsky-Brée 😷 • • •David Chisnall (*Now with 50% more sarcasm!*)
in reply to Andi Barth • • •James P Brosnahan
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •James P Brosnahan
in reply to James P Brosnahan • • •David Chisnall (*Now with 50% more sarcasm!*)
in reply to James P Brosnahan • • •@Jpbrosnahan1 @AndiBarth @larsmb
Which is totally irrelevant for the use case under discussion in this thread (allowing a mail server under your control to establish an authenticated connection to another mail server under your control). Allowing machines not under your control to connect is the thing that you are trying to prevent. The fact that public PKI makes this possible is a bug, not a feature.
Bernd Paysan R.I.P Natenom 🕯️
in reply to Jan Wildeboer 😷 • • •Hm…
abcnews.go.com/International/w…
Sure, using Microsoft as mail hoster was always a stupid idea, but this is the proof why.
There was always the question if you could trust LetsEncrypt as US entity. The answer is now clear: No!
The US WANTS to monopolize e-mail, and use it to sanction enemies.
There are two things to do now:
1. Change the Mail Server code so that incoming connections are ok when they present a server certificate
2. Scold LetsEncrypt. At least DNS-verified client certificates need to be possible (for mail-only servers, DNS verification is the way to go, anyways).
Trump's sanctions on ICC prosecutor have halted tribunal's work
MOLLY QUELL Associated Press (ABC News)Jan Wildeboer 😷
Unknown parent • • •David Chisnall (*Now with 50% more sarcasm!*)
Unknown parent • • •@larsmb @Jpbrosnahan1 @AndiBarth
I find it hard to imagine that there are people who are capable of deploying the kind of systems that creates a need for PKI, who cannot run the tiny handful of openssl command line commands it needs.
Being able to configure a web or mail server that works with Let's Encrypt is at least as hard. Even installing a web server is almost as hard.
And that's assuming that they use the openssl command line directly. There are (open source) packaged wrappers that make it much easier.
The problem is not having a ClientAuth EKU certificate, the problem is having a certificate that has both ServerAuth and ClientAuth EKU flags. These are different uses. A certificate is never simultaneously used for both. If you are establishing a connection and presenting a certificate, you want a client certificate. If you are accepting an incoming connection and presenting a certificate, you want a ServerAuth certificate.
Combining the two violates two of the most fundamental principles in computer security:
There have been compromises as a result of trusting certificates that were issued for server use as clients and vice versa. This is why EKU was added in the first place, setting both the client and server EKUs misses the point. I'm not sure why LE ever did this. Especially since they've explicitly said on numerous occasions that they don't issue client certificates (which is a shame, I wish they'd provide a flow for issuing S/MIME certs).
Their certificates have very limited use for client auth. Most of the time you want more than a domain name when authenticating clients. You want to authenticate users and you want to authenticate them with some specific claim.
Server certificates are simpler because the claim that you want to authenticate with the certificate is that the owner of the domain name that you think you're connecting to is responsible for the other endpoint. With client certificates, simply binding to a domain rarely makes sense. For situations where this actually is what you want, protocols often use dial-back, where the server establishes a connection back to the server, which tells you both that they have the certificate for that domain and control (or can hijack connections to) the IP associated with that domain (XMPP does this, for example, because early 2000s anti-spam ideas thought that knowing the sending domain was useful, but this doesn't work for email because relaying complicates the whole thing).
Lars Marowsky-Brée 😷
Unknown parent • • •@david_chisnall @Jpbrosnahan1 @AndiBarth But setting up a "PKI" for my (private/personal) use client certs (where I don't want an outside party to know the private key, nor there be any record in a public cert log) was quite easy?
The linked article (digicert.com/blog/how-the-clie…) drives this point home: "separate public and private trust" and suggests this makes sense?
I use mTLS quite a bit for my setups and using LE for that hasn't ever crossed my mind.
I must be missing something.
How the ClientAuth Crackdown Is Pushing Finance Toward X9 PKI
DigiCertJan Wildeboer 😷
in reply to Lars Marowsky-Brée 😷 • • •lucasmz (en)
in reply to Jan Wildeboer 😷 • • •lucasmz (en)
in reply to Jan Wildeboer 😷 • • •