During the CAB Forum discussion on this issue, someone brought up that Qualified Certs in the EU are supposed to have either the anyEKU present or omit the EKU. I think the post originated from Chema Gonzalez, but I'll let him confirm. I'm not sure the certs need to be recognized in browsers since we don't issue them.
I'm not sure there is a hard conflict. However, there is a best practices conflict as 5280 states that "In general, this extension will appear only in end entity certs" at 4.2.1.12 whereas Mozilla's ne instruction is " All new intermediate certificates that include the EKU extension and will be used for SSL certificate issuance, must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU." I'll look into whether the other communities only recommend that the CAs follow the 5280 guidance for intermediates or require it and get back to you. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham Sent: Tuesday, May 13, 2014 7:08 AM To: Jeremy Rowley; 'Kathleen Wilson'; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DRAFT: May CA Communication On 13/05/14 01:44, Jeremy Rowley wrote: > Also, the technical constraint of serverAuth won't work properly since > anyEKU (or a lack of EKU) is required in some grid, EU, and fed space certs. > Unfortunately, their policies conflict with the technical constraints > Mozilla hopes to implement. Hi Jeremy, Can you expand on this a little? The Firefox requirement is that serverAuth be included. It doesn't say anyEKU must be not included. If the certs you mention require EKU not to be present (what spec says they can even do that?), then are these certs that need to be recognised in Firefox, or not? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
