On 2017-04-12 11:47, Gervase Markham wrote:
"If the certificate includes the id-kp-emailProtection extended key
usage, it MUST include the Name Constraints X.509v3 extension with
constraints on rfc822Name, with at least one name in permittedSubtrees."
I think this change itself makes sense.
Reading that section, I think it could use some improvements. It's for
instance not really clear that this is needed "to be considered
technically constrained", but I guess that's the intention.
But I'm also wondering what you expect if it contains other EKUs like
client auth, code sign, unknown. Do we always consider them constraint?
So I'm suggesting something like:
When the following EKUs are included, to be considered technically
constrained, the following additional constraints should be present.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy