On 09/11/16 16:10, Jeremy Rowley wrote: > 7.1.2.3 requires an EKU but does not require serverAuth. clientAuth is > permissible.
Yes, that is true, but I'm not sure it's relevant to the point. There are two types of BR-compatible cert: EKU-serverAuth EKU-clientAuth Either may have other EKUs too, but all will have at least one of those. No EKU is not permitted. And the EKU-clientAuth ones won't be trusted by Firefox for server auth, clearly. > This is back to the same problem we keep going round and round again. Only > certificates intended for web servers are considered in scope of the BRs. > Therefore, the BRs only require an EKU if the certs are intended for > webservers. I intend to fix Mozilla policy to rescope the BRs more clearly. https://github.com/mozilla/pkipolicy/issues/27 Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
