I think it makes sense to have a new doc that applies to all CAs and specifies when requirements apply to certificates. That way we can say "SSL BRs apply if X, S/MIME BRs apply if Y, Code Signing applies if Z, this doc applies to subCAs when A".
On Wed, Nov 9, 2016 at 10:55 AM, Jeremy Rowley <[email protected]> wrote: > Perhaps the CA didn't intend them to be used for Web PKI, making them out of > scope of the BRs. Playing devil's advocate, I'd say anything issued without > serverAuth isn't intended to be used for server authentication by the CA. > Because of this, either the CAB Forum should define all certs with anyEKU, > serverAuth or no EKU as in scope of the BRs or the browsers should require > an EKU to function. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Peter Bowen > Sent: Wednesday, November 9, 2016 11:50 AM > To: Gervase Markham <[email protected]> > Cc: [email protected] > Subject: Re: Can we require id-kp-serverAuth now? > > On Wed, Nov 9, 2016 at 1:58 AM, Gervase Markham <[email protected]> wrote: >> So, it is now possible to change Firefox to mandate the presence of >> id-kp-serverAuth for EE server certs from Mozilla-trusted roots? Or is >> there some reason I've missed we can't do that? > > Here are some certs that appear to be for server authentication but don't > have that EKU: > > https://crt.sh/?id=10621190 > https://crt.sh/?id=32333854 > https://crt.sh/?id=10621157 > https://crt.sh/?id=12283906 > https://crt.sh/?id=12797412 > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
