All, I intend to address a minor issue in this batch of changes for MRSP v. 2.8.
Currently, section 5.2 of the MRSP says, "CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage." However, if the CA is creating end-entity certificates for itself, e.g. certificates for test websites as required by section 2.2 of the Baseline Requirements, then this language presents a problem. See https://github.com/mozilla/pkipolicy/issues/238 Here is proposed language to address this issue, add to the end of the phrase above, "unless the certificate is being issued to the CA itself." <goog_2066435964> https://github.com/BenWilson-Mozilla/pkipolicy/commit/e243b8252d19ba25f73dc56b9db3dc634f562e2b Please review. Thanks, Ben Wilson -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYGXxam4351c9gtxGbDpq6Zuo5jvqxL7aqX5x-RoevUKg%40mail.gmail.com.
