On Fri, Apr 19, 2019 at 7:12 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Fri, Apr 19, 2019 at 01:22:59PM -0700, Wayne Thayer via > dev-security-policy wrote: > > Okay, then I propose adding the following to section 5.2 "Forbidden and > > Required Practices": > > > > Effective for certificates issued on or after April 1, 2020, end-entity > > certificates MUST include an EKU extension containing KeyPurposeId(s) > > describing the intended usage(s) of the certificate, and the EKU > extension > > MUST NOT contain the KeyPurposeId anyExtendedKeyUsage. > > > > This does not imply that there will be technical enforcement, but also > > doesn't rule it out. > > > > I will appreciate everyone's feedback on this proposal. > > If I may pick the absolute smallest of nits, is it "better" if the > restriction be on certificate notBefore, rather than "issued on"? Whilst > that leaves certificates open to backdating, it does make it easier to > identify misissuance. Otherwise there could be arguments made that the > certificate was *actually* issued before the effective date, even though > there is no evidence that that is the case. > > Thanks Matt, I can see how that change makes it easier to check for compliance. I've added my proposal, updated per Matt's suggestion, to the 2.7 branch: https://github.com/mozilla/pkipolicy/commit/842c9bd53e43904b160e79cb199018252fb60834 Unless there are further comments, I'll consider this issue resolved. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy