On 5/13/14, 8:46 AM, Jeremy Rowley wrote:
That actually clears things up. Intermediate certs aren't required to have
an EKU but, if they do and the intermediate will be used for SSL, they must
have the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU.
I think I understand the concern now.
I have updated the wiki page to add a bullet point to try to make this
more clear.
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
"1. All new intermediate certificates that include the EKU extension and
will be used for SSL certificate issuance, must include the
id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing
the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" EKU.
- Intermediate certificates are not required to have an EKU, but if
an intermediate certificate does have an EKU and the intermediate will
be used for SSL, then it must have the id-kp-serverAuth EKU. See
sections #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy."
OK?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
