Hi I have question for following case of certificate chain. (root cert)--(1st intermediate cert)--(2nd intermediate cert)--(EE cert) In addition, "1st intermediate cert" is for technically constrained with name constraints (including server-auth EKU). I believe we Must put EKU (server-auth) for "2nd intermediate cert". (regarding Mozilla root store policy 5.3) However, Does "2nd intermediate cert" need name constraints? # For our understanding, name constraints on 2nd intermediate is not necessary, but do not sure about that.
Furthermore, if I should concern something, I am more than happy to hear advices. # i.e, in case of cross cert, or some verification environment which require name-constraints with server-auth (if exists). Tadahiko Ito _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
