On 16/12/16 21:56, Brian Smith wrote: > What does "working" mean? If I were a CA I would interpret "working" > to mean "works in Firefox"
Working means, I guess, "RFC 5280 etc. expect it to work". Conflicting name constraints, no-one expects to work. AnyEKU, some people do. > which would then allow me to issue > certificates that violate Mozilla's CA policies by issuing them from > an intermediate that has (only) anyExtendedKeyUsage, so that they work > in every browser except Firefox and are out of scope of your policy. If they are out of scope of our policy, and not trusted by Firefox, why do we care if they violate it? > Again, the reason for banning anyEKU is to prevent, through policy, > CAs from using/issuing intermediate certificates that work in every > browser except Firefox, for whatever reason (most likely, to work > around a CA policy disagreement). It would help greatly if you proposed concrete alternative text instead of making (difficult to fuly comprehend) assertions about the inadequacy of the current draft. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
