On 17/04/2018 20:24, Wayne Thayer wrote:
This proposal is to require intermediate certificates to be dedicated to
specific purposes by EKU. Beginning at some future date, all newly created
intermediate certificates containing either the id-kp-serverAuth or
id-kp-emailProtection EKUs would be required to contain only a single EKU.
Arguments for this requirement are that it reduces risk of an incident in
which one type of certificate affecting another type, and it could allow
some policies to be restricted to specific types of certificates.
One case that needs to be considered is specifying a set of closely
related EKUs, which are desirable to include in the same end entity
certificate. A typical combination would be emailProtection and
clientAuth, for the same identity in the EE cert.
It was pointed out that Microsoft already requires dedicated intermediates
[1].
I would appreciate everyone's input on this topic.
I suspect that it will be tempting to extend this discussion into
intermediate rollover policies, but I would remind everyone of the prior
inconclusive discussion on that topic [2].
This is: https://github.com/mozilla/pkipolicy/issues/26
[1] https://aka.ms/rootcert
[2]
https://groups.google.com/d/msg/mozilla.dev.security.policy/3NdNMiM-TQ8/hgVsCofcAgAJ
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
