On Monday, May 16, 2016 at 3:31:56 PM UTC-7, Rob Stradling wrote: > > One oddity: Some intermediates (e.g. https://crt.sh/?id=17014784) > contain the EKU extension with the MS SGC and/or NS Step-Up OIDs and > _not_ id-kp-serverAuthentication. The policy says that these don't need > to be disclosed, but Firefox does trust them as issuers of server > authentication certs. >
Good point. https://bugzilla.mozilla.org/show_bug.cgi?id=982932 "Check issuance date of intermediate certificate in effort to obsolete SGC EKU" Target Milestone: mozilla49 So, old intermediate certs like that should not be marked technically constrained. New intermediate certs that have the SGC EKU and not id-kp-serverAuthentication will not validate in Firefox 49 or later, so those may be treated as technically constrained. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
