Sorry - I mixed points on that email. The concern with serverAuth is not related to technically constrained intermediates. Instead, the potential conflict is with "Things for CAs to Fix" found at https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_ to_Fix
The text: 1. All new intermediate certificates that include the EKU extension and will be used for SSL certificate issuance, must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" EKU. This is contrary to the advice in 5280. I think it may cause issues in other communities who are also recommending that intermediates omit the EKU. I'll check with the communities in question and get back to you. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson Sent: Tuesday, May 13, 2014 8:20 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DRAFT: May CA Communication On 5/13/14, 6:07 AM, Gervase Markham wrote: > On 13/05/14 01:44, Jeremy Rowley wrote: >> Also, the technical constraint of serverAuth won't work properly >> since anyEKU (or a lack of EKU) is required in some grid, EU, and fed space certs. >> Unfortunately, their policies conflict with the technical constraints >> Mozilla hopes to implement. > > Hi Jeremy, > > Can you expand on this a little? > > The Firefox requirement is that serverAuth be included. It doesn't say > anyEKU must be not included. > See the last sentence in: http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ policy/inclusion/ "9. We encourage CAs to technically constrain all subordinate CA certificates. For a certificate to be considered technically constrained, the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the subordinate CA is authorized to issue certificates for. The anyExtendedKeyUsage KeyPurposeId MUST NOT appear within this extension." _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy