On Tue, Sep 22, 2015 at 12:51 AM, Rob Stradling <[email protected]> wrote:
> On 22/09/15 01:01, Brian Smith wrote: > <snip> > >> But, if the intermediate CA certificate is allowed to issue SSL >> certificates, then including the EKU extension with id-kp-serverAuth is >> just wasting space. Mozilla's software assumes that when the intermediate >> CA certificate does not have an EKU, then the certificate is valid for all >> uses. So, including an EKU with id-kp-serverAuth is redundant. And, the >> wasting of space within certificates has material consequences that affect >> performance and thus indirectly security. >> > > Brian, > > Given that the BRs require id-kp-serverAuth in Technically Constrained > intermediates, what would be the point of Mozilla dropping that same > requirement? > > There seems little point providing options that, in reality, CAs are never > permitted to choose. It would be the first step towards changing the BRs in the analogous manner. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
