Great! Thanks! -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson Sent: Tuesday, May 13, 2014 11:47 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DRAFT: May CA Communication
On 5/13/14, 8:46 AM, Jeremy Rowley wrote: > That actually clears things up. Intermediate certs aren't required to > have an EKU but, if they do and the intermediate will be used for SSL, > they must have the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. > > I think I understand the concern now. I have updated the wiki page to add a bullet point to try to make this more clear. https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_ to_Fix "1. All new intermediate certificates that include the EKU extension and will be used for SSL certificate issuance, must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" EKU. - Intermediate certificates are not required to have an EKU, but if an intermediate certificate does have an EKU and the intermediate will be used for SSL, then it must have the id-kp-serverAuth EKU. See sections #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy." OK? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
