No EKU is the same as AnyEKU, and should be treated accordingly.
Otherwise you’re diverging from RFC 5280 and there’s no reason to even
contemplate that for this.
-Tim
From: Smcwg-public On Behalf Of Ben Wilson
via Smcwg-public
Sent: Friday, July 28, 2023 9:45 AM
To: SMIME Certificate
All,
For TLS Certificates, I think it was discovered that they would still work
if there was no EKU in them (or maybe that was just the chaining down from
Intermediate CA certificates). Anyway, I have commented in a discussion on
the Mozilla Dev-Security-Policy list