My fix is much simpler (because the BRs have traditionally avoided requiring
reissuance of sub CAs). Require that all certs with serverauth, anyEKU, or no
EKU be covered by the BRs. CAs required to issue certs that are covered but
cannot conform (because of another policy) will get a qualified a
On Fri, Mar 04, 2016 at 09:19:36PM +, Rob Stradling wrote:
> Maybe we need to take a different approach that ignores the end-entity
> certificate profile completely. How about we propose that...
>
> - An X.509 certificate is in scope for the BRs if it's signed by an
> Issuing CA that is in
On 04/03/16 04:18, Jeremy Rowley wrote:
If you recall, the fact that pre-certs are out of scope of the BRs was one of the reasons
against putting them into the BRs in the first place. The decision to add them was to
assist CAs who may have an overly strict reading on scope considering the very
3 matches
Mail list logo
