Rob Stradling <[email protected]> wrote: > https://aka.ms/rootcert Section 4.A.12, for example, says... > "Rollover root certificates, or certificates which are intended to > replace previously enrolled but expired certificates, will not be accepted > if they combine server authentication with code signing uses unless the > uses are separated by application of Extended Key Uses (“EKU”s) at the > intermediate CA certificate level that are reflected in the whole > certificate chain." >
My reading of that is this: If you ask Microsoft to enable the code signing bit and the server authentication bit for the same root CA, then you must have separate intermediates for code signing and for server authentication, and those separate intermediates must have EKU extensions. But, if a given root certificate is only trusted for server authentication, then there is no requirement that the intermediate CA certificates contain EKU extensions. So, in fact, I think many CAs--e.g. ones that don't do code signing, or that have separate roots for code signing, would benefit from such a change because they'd be allowed to issue smaller certificates. And, that's a goood thing. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
