Is there a list of Extended Key Usages that are within scope for the Mozilla CA Program?
The definition for technically constrained indicates that the CA certificates must include all EKUs that the CA is authorized to issue certificates for. I assume if the only included EKUs are not in scope for the Mozilla CA Program, then any further subordinate CAs are not in scope. For example, if UberRootCA is in the NSS root certificate store, and it issues PrivateChildA with CA=TRUE in BasicConstraints and the only OID in the EKU is 2.999.1.27288.9, then any certificates subordinate to PrivateChildA are out of scope, regardless of their content. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
