On 22/09/15 01:01, Brian Smith wrote:
<snip>
But, if the intermediate CA certificate is allowed to issue SSL
certificates, then including the EKU extension with id-kp-serverAuth is
just wasting space. Mozilla's software assumes that when the intermediate
CA certificate does not have an EKU, then the certificate is valid for all
uses. So, including an EKU with id-kp-serverAuth is redundant. And, the
wasting of space within certificates has material consequences that affect
performance and thus indirectly security.
Brian,
Given that the BRs require id-kp-serverAuth in Technically Constrained
intermediates, what would be the point of Mozilla dropping that same
requirement?
There seems little point providing options that, in reality, CAs are
never permitted to choose.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
