Paul Wouters via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>I'm not sure how that is helpful for those crypto libraries who mistakenly >believe a certificate is a TLS certificate and thus if the EKU is not empty >it should have serverAuth or clientAuth. Sure, it wouldn't help with current libraries that neither acknowledge non-TLS use nor know about the tlsCompabitility EKU, but it would act as a signalling mechanism going forward to inform RP's about what's going on. So if you get notified about an apparently-wrong cert you can see the tlsCompabitility EKU and realise what's going on. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy