On 03/10/17 18:35, Doug Beattie wrote: > The specific issue is that these client certificate CAs don't have > the EKU extension even though we have no intent of issuing SSL > certificates (they are WT audited and verified to not issue any SSL > certificates per the BRs).
Would it be an acceptable solution to add these intermediates to OneCRL? > Is it permissible to continue issuing SHA-1 OCSP signing certificates > for these existing legacy non-SSL CAs so we may continue providing > revocation services using algorithms they support until all > certificates under the CAs expire? This would be no later than the > end of 2020. Can anyone see any problems with an answer to Doug which says that he may do this once the intermediates are in OneCRL? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy