On Fri, Apr 19, 2019 at 01:22:59PM -0700, Wayne Thayer via dev-security-policy wrote: > Okay, then I propose adding the following to section 5.2 "Forbidden and > Required Practices": > > Effective for certificates issued on or after April 1, 2020, end-entity > certificates MUST include an EKU extension containing KeyPurposeId(s) > describing the intended usage(s) of the certificate, and the EKU extension > MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. > > This does not imply that there will be technical enforcement, but also > doesn't rule it out. > > I will appreciate everyone's feedback on this proposal.
If I may pick the absolute smallest of nits, is it "better" if the restriction be on certificate notBefore, rather than "issued on"? Whilst that leaves certificates open to backdating, it does make it easier to identify misissuance. Otherwise there could be arguments made that the certificate was *actually* issued before the effective date, even though there is no evidence that that is the case. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy