Re: [SPAM] Re: EKUs covered in the Mozilla CA Program
On 13/05/14 14:48, Peter Bowen wrote: I would add the old Netscape Step-Up/SGC (2.16.840.1.113730.4.1) and any EKU (2.5.29.37.0) to the list as well. The point of the bug I reference is that we'd like to stop caring about these (in code), because allowing anyEKU means that we include in scope (and permit for SSL) a bunch of certs we don't really want to include in scope and really shouldn't be permitted for SSL as they weren't intended for SSL. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: EKUs covered in the Mozilla CA Program
On 05/13/2014 06:48 AM, Peter Bowen wrote: I think the biggest question probably is id-kp-clientAuth. From a quick scan of the NSS certdb code, it seems that setting this EKU in a CA cert would allow it to issue serverAuth and emailProtection certs. Therefore it would seem reasonable to include this as well. Thanks, Peter That may well be the case for NSS. However, the new certificate verification library under development and in use by default in Firefox = 31 does not allow this. In case you hadn't heard about it, the new library is mozilla::pkix. Here's some more information: https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/ https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing Cheers, David ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: EKUs covered in the Mozilla CA Program
On Tue, May 13, 2014 at 11:45 AM, David Keeler dkee...@mozilla.com wrote: On 05/13/2014 06:48 AM, Peter Bowen wrote: I think the biggest question probably is id-kp-clientAuth. From a quick scan of the NSS certdb code, it seems that setting this EKU in a CA cert would allow it to issue serverAuth and emailProtection certs. Therefore it would seem reasonable to include this as well. That may well be the case for NSS. However, the new certificate verification library under development and in use by default in Firefox = 31 does not allow this. In case you hadn't heard about it, the new library is mozilla::pkix. In the certdata.txt file, there are only four trust attributes used. No certificate has CKA_TRUST_CLIENT_AUTH or CKA_TRUST_TIME_STAMPING. Does this mean that, with the switch to mozilla::pkix, Mozilla and NSS is not defining any CA as trusted to issue certificates for client authentication or time stamping? Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy