On 5/13/14, 8:32 AM, Jeremy Rowley wrote:
Sorry - I mixed points on that email. The concern with serverAuth is not
related to technically constrained intermediates. Instead, the potential
conflict is with "Things for CAs to Fix" found at
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_
to_Fix
The text:
1. All new intermediate certificates that include the EKU extension and will
be used for SSL certificate issuance, must include the id-kp-serverAuth
(1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing the "Netscape Server
Gated Crypto (2.16.840.1.113730.4.1)" EKU.
This is contrary to the advice in 5280. I think it may cause issues in
other communities who are also recommending that intermediates omit the EKU.
I'll check with the communities in question and get back to you.
Jeremy
It doesn't say that the intermediate cert has to include the EKU.
It says that *if* the intermediate cert does include the EKU and will be
used for SSL certs, then it will have to include the id-kp-serverAuth EKU.
So I'm still not following what the issue is here.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
