Perhaps the CA didn't intend them to be used for Web PKI, making them out of scope of the BRs. Playing devil's advocate, I'd say anything issued without serverAuth isn't intended to be used for server authentication by the CA. Because of this, either the CAB Forum should define all certs with anyEKU, serverAuth or no EKU as in scope of the BRs or the browsers should require an EKU to function.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Peter Bowen Sent: Wednesday, November 9, 2016 11:50 AM To: Gervase Markham <[email protected]> Cc: [email protected] Subject: Re: Can we require id-kp-serverAuth now? On Wed, Nov 9, 2016 at 1:58 AM, Gervase Markham <[email protected]> wrote: > So, it is now possible to change Firefox to mandate the presence of > id-kp-serverAuth for EE server certs from Mozilla-trusted roots? Or is > there some reason I've missed we can't do that? Here are some certs that appear to be for server authentication but don't have that EKU: https://crt.sh/?id=10621190 https://crt.sh/?id=32333854 https://crt.sh/?id=10621157 https://crt.sh/?id=12283906 https://crt.sh/?id=12797412 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
