Hello. 
Sorry if this question is incorrect, but I’d like to know if it would 
acceptable that, for CAs that are owned and operated by the same entity that 
the Root, the CA certificate is reissued with the same key pair without the 
offending EKU, instead of doing a full issuance with new keys. 
I consider this particular case as less risky than externally operated CAs, so 
I wonder if this could make possible an smoother solution. 
Your comments and guidance are appreciated. 
Thanks,
Pedro
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to