That actually clears things up. Intermediate certs aren't required to have an EKU but, if they do and the intermediate will be used for SSL, they must have the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU.
Thanks Kathleen! Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson Sent: Tuesday, May 13, 2014 9:38 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DRAFT: May CA Communication On 5/13/14, 8:32 AM, Jeremy Rowley wrote: > Sorry - I mixed points on that email. The concern with serverAuth is > not related to technically constrained intermediates. Instead, the > potential conflict is with "Things for CAs to Fix" found at > https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_fo > r_CAs_ > to_Fix > > The text: > 1. All new intermediate certificates that include the EKU extension > and will be used for SSL certificate issuance, must include the > id-kp-serverAuth > (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing the "Netscape > Server Gated Crypto (2.16.840.1.113730.4.1)" EKU. > > This is contrary to the advice in 5280. I think it may cause issues > in other communities who are also recommending that intermediates omit the EKU. > I'll check with the communities in question and get back to you. > > Jeremy > It doesn't say that the intermediate cert has to include the EKU. It says that *if* the intermediate cert does include the EKU and will be used for SSL certs, then it will have to include the id-kp-serverAuth EKU. So I'm still not following what the issue is here. Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy