On Fri, Dec 16, 2016 at 09:41:08AM -0800, Ryan Sleevi wrote: > On Fri, Dec 16, 2016 at 7:24 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > On 2016-12-16 15:45, Gervase Markham wrote: > >> > >> But secondly, I'm not banning the use of anyEKU, because Firefox doesn't > >> trust cert chains that rely on it, so there's no need to ban it. Is there? > > > > > > Can I point out again that Firefox (or NSS) is not the only user of the root > > store? > > Can I point out again > https://wiki.mozilla.org/CA:FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
It's actually the first time I read that. Anyway, my comment is maily that it's not because FireFox doesn't support anyEKU or clientAuth that other software doesn't. And that having a policy that only focuses on serverAuth (or email) might have an effect on those other users. It's my understanding that NSS (or FireFox) doesn't allow the anyEKU anywhere in the chain. The BR seem to perfectly allow the anyEKU for CAs, but requires the serverAuth or clientAuth for the subscriber. My understanding from what would change is that if it has an anyEKU or clientAuth anywhere in the chain it would no longer be in scope of the Mozilla requirements and so that it would not need to follow the BRs, be audited, follow their CP/CPS, and that Mozilla wouldn't care because it doesn't affect Firefox. But clearly others could be affected. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy