On Wed, 27 Apr 2016 23:46:25 -0700 (PDT) sanjay_m...@symantec.com wrote: > We have a technical control in place for systems that issue S/MIME > certs in this CA hierarchy. Our systems use static cert templates > from which end-entity certs are issued. Those templates include an > EKU value, but do not use the serverAuth or anyExtendedKeyUsage > values.
What hash algorithm is used to sign these end-entity certificates? As I've explained before, a chosen-prefix attack can be used to turn any bit of signed data (such as an S/MIME certificate, or even an OCSP response) into a certificate with a serverAuth EKU value. This is why the EKU needs to be in the CA certificate and not just the end-entity cert, and why it's essential that sub-CAs like this one be disclosed. Mozilla policy does not and should not provide an exception for sub-CAs that are capable of certifying serverAuth certificates but promise not to. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
