On Thu, May 21, 2020 at 11:23 AM Ryan Sleevi <[email protected]> wrote <snip> >> >> I am aware of the "fight" about EKU chaining. I have a view, but I did not >> really want to drag subcerts into that controversy. > > > Sure, but unfortunately, the design of DC/subcerts is a direct result of that > running code.
One of the hard requirements for our deployment was that the same certificate be useable with DCs and without. A different EKU would be more problematic then an extension for this purpose, and while it might be more or less irritating for implementors depending on how their stack works (sorry Rich - https://boringssl-review.googlesource.com/c/boringssl/+/33666/1 might serve as inspiration, but the client side got dropped for similar issues). We know the extension doesn't bust things, I don't know an EKU would, and the root program issues make me hesitate. Anyway it sounds like no one really has a problem with an extension, just a question. Sincerely, Watson Ladd _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
