On Mon, Nov 1, 2021 at 3:34 PM Corey Bonnell <[email protected]> wrote:
> > I'm accepting your suggestion and phrasing it, "CAs SHOULD NOT include > more than a single KeyPurposeID in the EKU extension." > > > > This is quite a bit more onerous than the current BRs, which explicitly > allow for id-kp-clientAuth to be included alongside id-kp-serverAuth. Is > the deprecation of id-kp-clientAuth KP in serverAuth TLS certificates > intentional? > I'm not sure I follow? A SHOULD NOT is not any more onerous, as it's not a prohibition. >From RFC 2119, which Mozilla policy incorporates by reference SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHG_uZACuiDQNM9ubqctOv5er9h3Y3nQQy7CaoanTwBF1Q%40mail.gmail.com.
