On 06/07/17 16:56, Ryan Sleevi wrote: > Relevant to this group, id-kp-serverAuth (and perhaps id-kp-clientAuth)
So what do we do? There are loads of "name-constrained" certs out there with id-kp-serverAuth but no constraints on SRVName. Does that mean they can issue for any SRVName they like? Is that a problem once we start allowing it? I've filed: https://github.com/mozilla/pkipolicy/issues/96 on this issue in general. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy