You could find the following requirement in the latest Baseline Requirement:

7. CERTIFICATE, CRL, AND OCSP PROFILES
7.1 Certificate profile
7.1.2 Certificate Content and Extensions; Application of RFC 5280
7.1.2.2 Subordinate CA Certificate
...
g. extkeyUsage (optional/required)
For Cross Certificates ...
For all other Subordinate CA Certificates, including Technically Constrained 
Subordinate CA Certificates:
This extension MUST be present and SHOULD NOT be marked critical.
...

If I understand this requirement correctly, each Subordinate CA certificate 
(excluding the above mentioned Cross Certificates) shall contain the EKU 
extension.

Does it mean that all Subordinate CA certificates issued after a specific date 
shall contain the EKU extension?
What is the effect date of this requirement?
Is it 20 August 2020, as the issue date of this version of the Baseline 
Requirement?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to