> On Aug 17, 2017, at 14:24, identrust--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Hello, In reference to 3)"Certificates that appear to be intended as client > certificates, but have the anyExtendedKeyUsage EKU, putting them in scope for > the Mozilla Root Policy." > The following 6 client certificates that have been identified as server > certificates and have been flagged as non-compliant. However, these > certificates do not contain FQDN, IP Address, nor ‘TLS Web Server > Authentication’ EKU. As such in order for us to proceed with our analysis > and determine if any remediation is required, we need clarification in the > exact nature of non-compliance as it relates to Mozilla Root Policy or CAB > Forum Baseline Requirement (ideally with pointer to the specific requirement > in the corresponding documents).
The Mozilla Root Store Policy section 1.1 (Scope) says: > This policy applies, as appropriate, to certificates matching any of the > following (and the CAs which control or issue them): > … > 3. End-entity certificates which have at least one valid, unrevoked chain up > to such a CA certificate through intermediate certificates which are all in > scope, such end-entity certificates having either: > - an Extended Key Usage (EKU) extension which contains one or more of > these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, > id-kp-emailProtection; or: … The six certificates linked contain the anyExtendedKeyUsage KeyPurposeId and were issued by an intermediate that is also in scope, so they are in scope for the Mozilla Root Policy and by extension the Baseline Requirements. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
