The "AC FNMT Usuarios” intermediate operated by the Government of Spain, 
Fábrica Nacional de Moneda y Timbre (FNMT) issues certificates that are not 
BR-compliant. This was acknowledged during the FNMT root inclusion request 
discussion and allowed as long as the intermediate "never issues TLS/SSL 

Recently, some certificates issued from this intermediate were logged to CT, so 
we can see what they look like[1].

While they do not contain dnsName SANs, they do contain the anyExtendedKeyUsage 
EKU which makes them technically usable for TLS server authentication and in 
scope for the Mozilla Root Store Policy.

Additionally, I was able to find one of these certificates[2] served from a TLS 
server in Censys[3].

This is information that does not appear to have been available at the time of 
the root inclusion discussion last year, so I thought I’d point it out.



dev-security-policy mailing list

Reply via email to