Re: [Servercert-wg] [External Sender] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA

Dimitris Zacharopoulos (HARICA) via Servercert-wg Fri, 17 May 2024 02:22:48 -0700


On 16/5/2024 10:29 μ.μ., Clint Wilson wrote:

AFAIK Apple and Mozilla also don't have a specific "trust bit" for Client 
Authentication. Only Microsoft does.

FWIW, Apple does indeed have a specific trust bit for id-kp-clientAuth EKU and 
allows for (and ships) dedicated clientAuth Root CAs in the Apple Root Program 
(as outlined in 2.1.3 of the ARP Policy).

Thanks for the correction Clint. I had the impression that you shippedonly Apple Roots for clientAuth. My bad.


Dimitris.



_______________________________________________
Servercert-wg mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/servercert-wg

Re: [Servercert-wg] [External Sender] Discussion about single-purpose client authentication leaf certificates issued from a server TLS Issuing CA

Reply via email to