On Saturday, November 5, 2016 at 2:06:00 AM UTC-7, Gervase Markham wrote: > On 04/11/16 21:23, Ryan Sleevi wrote: > > If there's concerns about GAs - would it be best to reply on this thread or > > start a new one per-CA? > > If there's more than one CA, perhaps a new one per CA would be better, > please.
Well, mostly I'm trying to understand why you listed the following as "GA - EKU but not serverAuth" https://crt.sh/?cablint=211&iCAID=70&minNotBefore=2016-01-01&opt=cablint https://crt.sh/?cablint=211&iCAID=104&minNotBefore=2016-01-01&opt=cablint Even though the individual certs, such as https://crt.sh/?id=39635446&opt=cablint or https://crt.sh/?id=31394742&opt=cablint , have an EKU, their issuing CAs, https://crt.sh/?caid=104&opt=cablint and https://crt.sh/?caid=70&opt=cablint , do not. As noted elsewhere, the issuance of SHA-1 allows for an attacker to pivot the contents of the certificates, and the only mitigation is the EKU on the sub-CA. Are you suggesting this is GA because it wasn't clear enough to CA members at the time this was issued? Because I can't help but feel that this particular point was discussed at considerable length prior to these CA's issuances. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy