You could find the following requirement in the latest Baseline Requirement:
7. CERTIFICATE, CRL, AND OCSP PROFILES 7.1 Certificate profile 7.1.2 Certificate Content and Extensions; Application of RFC 5280 7.1.2.2 Subordinate CA Certificate ... g. extkeyUsage (optional/required) For Cross Certificates ... For all other Subordinate CA Certificates, including Technically Constrained Subordinate CA Certificates: This extension MUST be present and SHOULD NOT be marked critical. ... If I understand this requirement correctly, each Subordinate CA certificate (excluding the above mentioned Cross Certificates) shall contain the EKU extension. Does it mean that all Subordinate CA certificates issued after a specific date shall contain the EKU extension? What is the effect date of this requirement? Is it 20 August 2020, as the issue date of this version of the Baseline Requirement? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy