Hello. Sorry if this question is incorrect, but I’d like to know if it would acceptable that, for CAs that are owned and operated by the same entity that the Root, the CA certificate is reissued with the same key pair without the offending EKU, instead of doing a full issuance with new keys. I consider this particular case as less risky than externally operated CAs, so I wonder if this could make possible an smoother solution. Your comments and guidance are appreciated. Thanks, Pedro _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert
Pedro Fuentes via dev-security-policy Thu, 02 Jul 2020 11:35:07 -0700
- RE: SECURITY RELEV... Tim Hollebeek via dev-security-policy
- Re: SECURITY R... Ryan Sleevi via dev-security-policy
- Re: SECURITY RELEVANT FOR C... Rob Stradling via dev-security-policy
- Re: SECURITY RELEVANT ... Peter Mate Erdosi via dev-security-policy
- Re: SECURITY RELEV... Rob Stradling via dev-security-policy
- Re: SECURITY R... Peter Mate Erdosi via dev-security-policy
- SECURITY RELEVANT FOR CAs: ... Pedro Fuentes via dev-security-policy
- Re: SECURITY RELEVANT ... Ryan Sleevi via dev-security-policy
- Re: SECURITY RELEV... Pedro Fuentes via dev-security-policy
- Re: SECURITY R... Ryan Sleevi via dev-security-policy
- Re: SECURI... Pedro Fuentes via dev-security-policy