On 17/4/2018 9:24 μμ, Wayne Thayer via dev-security-policy wrote:
This proposal is to require intermediate certificates to be dedicated to specific purposes by EKU. Beginning at some future date, all newly created intermediate certificates containing either the id-kp-serverAuth or id-kp-emailProtection EKUs would be required to contain only a single EKU.
We should not require a single EKU but separation of id-kp-serverAuth and id-kp-emailProtection. This means that if an Intermediate CA Certificate includes the id-kp-serverAuth, it MUST NOT include id-kp-emailProtection but it MAY also include (for example) the id-kp-clientAuth EKU.
Dimitris. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
