On 5/13/14, 8:37 AM, Moudrick M. Dadashov wrote:
On 5/13/2014 6:26 PM, Jeremy Rowley wrote:
During the CAB Forum discussion on this issue, someone brought up that
Qualified Certs in the EU are supposed to have either the anyEKU
present or
omit the EKU. I think the post originated from Chema Gonzalez, but
I'll let
him confirm. I'm not sure the certs need to be recognized in browsers
since
we don't issue them.
>
Correct and in a typical scenario the QC CA and SSL CA are two
independent **different** services.
That is the approach I hope CAs are taking.
I'm not sure there is a hard conflict. However, there is a best
practices
conflict as 5280 states that "In general, this extension will appear
only in
end entity certs" at 4.2.1.12 whereas Mozilla's ne instruction is "
All new
intermediate certificates that include the EKU extension and will be used
for SSL certificate issuance, must include the id-kp-serverAuth
(1.3.6.1.5.5.7.3.1) EKU." I'll look into whether the other
communities only
recommend that the CAs follow the 5280 guidance for intermediates or
require
it and get back to you.
>
As Kathleen noted just recently, for the "audited and disclosed" CAs
this shouldn't be a problem. Following RFC 5280 is a good practice.
Yes.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
