On 05/05/17 22:21, Jakob Bohm wrote: > The issue would be implementations that only check the EE cert for > their desired EKU (such as ServerAuth checking for a TLS client or > EmailProtection checking for a mail client). In other words, relying > parties whose software would accept a chain such as > > root CA (no EKUs) => SubCA (EmailProtection) => EE cert (ServerAuth).
Do you know of any such implementations? > One other question: Does your proposal allow a TCSC that covers both > ServerAuth and EmailProtection for the domains of the same organization? I don't believe my proposal forbids this. Do you think it should? > Does Mozilla as a Browser implementer have any policy or technical > requirements on certificates that Mozilla products can use for > ClientAuth No policy requirements to my knowledge. There may be technical requirements (e.g. now we've turned off SHA-1 support, I doubt that works with ClientAuth either). Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
