On 05/13/2014 06:48 AM, Peter Bowen wrote: > I think the biggest question probably is id-kp-clientAuth. From a > quick scan of the NSS certdb code, it seems that setting this EKU in a > CA cert would allow it to issue serverAuth and emailProtection certs. > Therefore it would seem reasonable to include this as well. > > Thanks, > Peter
That may well be the case for NSS. However, the new certificate verification library under development and in use by default in Firefox >= 31 does not allow this. In case you hadn't heard about it, the new library is "mozilla::pkix". Here's some more information: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing Cheers, David _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
