This proposal is to require intermediate certificates to be dedicated to specific purposes by EKU. Beginning at some future date, all newly created intermediate certificates containing either the id-kp-serverAuth or id-kp-emailProtection EKUs would be required to contain only a single EKU.
Arguments for this requirement are that it reduces risk of an incident in which one type of certificate affecting another type, and it could allow some policies to be restricted to specific types of certificates. It was pointed out that Microsoft already requires dedicated intermediates [1]. I would appreciate everyone's input on this topic. I suspect that it will be tempting to extend this discussion into intermediate rollover policies, but I would remind everyone of the prior inconclusive discussion on that topic [2]. This is: https://github.com/mozilla/pkipolicy/issues/26 [1] https://aka.ms/rootcert [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/3NdNMiM-TQ8/hgVsCofcAgAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
