On Jan 16, 2020, at 4:02 PM, Eliot Lear (elear) <[email protected]> wrote:
>
> Ok not for nothing but this is getting silly.
Yes.
> If a CA actually revoked a cert for someone using it for EAP, would they
> also have to revoke for someone using it for SMTP, XMPP, and IMAP?
That is apparently the claim.
> Has that ever happened?
I have no idea.
Perhaps we should try?
$ openssl s_client -connect smtp.mozilla.org:587 -starttls smtp > mozilla.crt
$ openssl x509 -text -in mozilla.crt
....
X509v3 Subject Alternative Name:
DNS:smtp1.mdc1.mozilla.com, DNS:smtp1.private.mdc1.mozilla.com,
DNS:smtp1.private.mdc2.mozilla.com, DNS:smtp.mozilla.com, DNS:smtp.mozilla.org,
DNS:smtp1.mdc2.mozilla.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
....
Yup. *Everyone* uses id-kp-serverAuth. For *everything*.
Should we report this mis-use? If so, why? If not, why not?
At this point, it might be simplest to just update 2459:
....
id-kp-serverAuth OBJECT IDENTIFIER ::= {id-kp 1}
-- TLS Web server authentication
....
new ID: delete the word "Web".
Alan DeKok.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
