Of course I missed a key step. If there is an EKU extension, check to see if it contains the anyEKU KP. If so, then go to the pathLen check. Otherwise check for specific KPs.
> On Apr 30, 2017, at 9:27 AM, Jeremy Rowley <[email protected]> wrote: > > Lol at the IPv4 and IPv6 part. > <> > From: Public [mailto:[email protected] > <mailto:[email protected]>] On Behalf Of Peter Bowen via Public > Sent: Sunday, April 30, 2017 8:53 AM > To: CA/Browser Forum Public Discussion List <[email protected] > <mailto:[email protected]>> > Cc: Peter Bowen <[email protected] <mailto:[email protected]>> > Subject: [cabfpub] Which CAs must be audited > > Over on the mozilla.dev.security.policy list, there was some confusion about > which subordinate CAs need to have audits. > > I’ve put together two flow charts to help document what I think has been said > on that list. I tried to merge info from both the Mozilla and Microsoft > policies, so I might be a little off. > > The one place where this does differ from current Mozilla policy is that it > has disclosure of technically constrained CA certificates themselves. This > is proposed for Mozilla but not yet required. > > Anyone see errors? > > Thanks, > Peter > > <image001.png> > > <image002.jpg>
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
