On 28/11/16 13:50, Bruce Morton wrote: > An issue is that if a SHA-1 intermediate certificate needs an EKU and > we are not allowed to issue SHA-1 certificates per BR 7.1.3, then > there is no fix.
All of this is discussing issuance outside the scope of the BRs anyway. SHA-1 issuance is not permitted for BR-covered certs (except for via the exception process, and even that should go away at the end of the year). But you are right in that this policy does not allow for the creation of new SHA-1 intermediates, which may be necessary in order to meet EKU restrictions. That needs fixing. Add a point: CAs may only sign SHA-1 hashes over intermediate certificates if such certificates are only used to sign other SHA-1 hashes which comply with this policy. Gerv _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public