> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Ryan Sleevi via dev-security-policy > On Sat, Jul 4, 2020 at 10:42 PM Peter Bowen via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > As several others have indicated, WebPKI today is effectively a subset > > of the more generic shared PKI. It is beyond time to fork the WebPKI > > from the general PKI and strongly consider making WebPKI-only CAs that > > are subordinate to the broader PKI; these WebPKI-only CAs can be > > carried by default in public web browsers and operating systems, while > > the broader general PKI roots can be added locally (using centrally > > managed policies or local configuration) by those users who what a > > superset of the WebPKI. > > > > +1. This is the only outcome that, long term, balances the tradeoffs > appropriately.
+1. Maybe a first step would be to write an RFC that explains, how technical constraining based on EKU (and Certificate Policies) through the layers of a multi-tier-PKI-Hierarchy should work. We have seen in this thread, that different Application Software Suppliers have different ideas, sometimes not even consistent within their application. I would be willing to support it. With best regards, Rufus Buschart Siemens AG Siemens Operations Information Technology Value Center Core Services SOP IT IN COR Freyeslebenstr. 1 91058 Erlangen, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy