At the moment, Firefox recognises an EE cert as a server cert if it has an EKU extension with id-kp-serverAuth, or if it has no EKU at all.
On 17th of Feb 2013, Mozilla published CA policy 2.1, which required adherence to the BRs (version 1.1.5).[0] Since the very first version of the BRs[1], EKU and id-kp-serverAuth has been mandatory for EE server certificates. The current maximum lifetime of a BR cert is 39 months. 17th Feb 2013 is more than 39 months ago. (Even if it were previously possible to issue longer certs and some may still be around, those will all be SHA-1, and so no longer work from January. There may also have been an intro period for BR compliance, but even with that, we must be pretty much hitting 39 months now.) So, it is now possible to change Firefox to mandate the presence of id-kp-serverAuth for EE server certs from Mozilla-trusted roots? Or is there some reason I've missed we can't do that? The advantage of doing this is that it makes it much easier to scope our root program to avoid capturing certs it's not meant to capture. Gerv [0] http://web.archive.org/web/20130217001843/http://www.mozilla.org/projects/security/certs/policy/ [1] https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf , Appendix B _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
