7.1.2.3 requires an EKU but does not require serverAuth. clientAuth is permissible. Omitting other values is only a "SHOULD"
This is back to the same problem we keep going round and round again. Only certificates intended for web servers are considered in scope of the BRs. Therefore, the BRs only require an EKU if the certs are intended for webservers. Regardless of the BRs, I whole heartedly support excluding a lack of EKU or inclusion of the anyEKU from operating as a server cert. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham Sent: Wednesday, November 9, 2016 5:53 AM To: Kurt Roeckx <[email protected]>; [email protected] Subject: Re: Can we require id-kp-serverAuth now? On 09/11/16 10:43, Kurt Roeckx wrote: > On 2016-11-09 10:58, Gervase Markham wrote: >> At the moment, Firefox recognises an EE cert as a server cert if it >> has an EKU extension with id-kp-serverAuth, or if it has no EKU at all. > > So not when the anyExtendedKeyUsage is present? No. I believe we discovered we don't support that. >> Since the very first version of the BRs[1], EKU and id-kp-serverAuth >> has been mandatory for EE server certificates. > > I can't actually find this anymore in the current BRs. Section 7.1.2.3. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
