All, I added the following to https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F ~~ Intermediate certificates are considered to be technically constrained, and do not need to be added to the CA Community in Salesforce if: - The certificate has the Extended Key Usage (EKU) extension and the EKU does not include any of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth - The root certificate is not enabled with the Websites trust bit ~~
This means that CAs do not need to add intermediate certificates that have an EKU that only includes KeyPurposeIds id-kp-emailProtection or id-kp-codeSigning. Does anyone see any problems with this? Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
