On 5/13/14, 6:07 AM, Gervase Markham wrote:
On 13/05/14 01:44, Jeremy Rowley wrote:
Also, the technical constraint of serverAuth won't work properly since
anyEKU (or a lack of EKU) is required in some grid, EU, and fed space certs.
Unfortunately, their policies conflict with the technical constraints
Mozilla hopes to implement.
Hi Jeremy,
Can you expand on this a little?
The Firefox requirement is that serverAuth be included. It doesn't say
anyEKU must be not included.
See the last sentence in:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"9. We encourage CAs to technically constrain all subordinate CA
certificates. For a certificate to be considered technically
constrained, the certificate MUST include an Extended Key Usage (EKU)
extension specifying all extended key usages that the subordinate CA is
authorized to issue certificates for. The anyExtendedKeyUsage
KeyPurposeId MUST NOT appear within this extension."
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
