On 06/05/14 20:58, Brian Smith wrote: > That isn't quite right either. It is OK for the intermediate certificate to > omit the EKU extension entirely.
Well, not if we fix https://bugzilla.mozilla.org/show_bug.cgi?id=968817 which Brian agreed that we could do. RFC 5280 says (section 4.2.1.2): "Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application." I think we should be aiming to require serverAuth in all intermediates and EE certs for SSL. I think that makes it much less likely that we will end up accepting as valid for SSL a cert someone has issued for another purpose entirely (e.g. smartcards). Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
