Unless there is further discussion, I will consider this issue closed with the following change to section 5.3, meaning that it applies to both unconstrained and technically constrained intermediates:
Subordinate CA certificates created after January 1, 2019: * MUST contain an EKU extension; and, * MUST NOT include the anyExtendedKeyUsage KeyPurposeId; and, * MUST NOT include both the id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in the same certificate. - Wayne On Mon, Apr 30, 2018 at 5:58 PM, pfuentes69--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Maybe I'm too pragmatic, but from a risk management perspective, I don't > see a constrained CA issuing a poor certificate harming the whole > CA/Browser community, so I would even accept that risk. > > Anyway, as a conclusion, I see your point about this maybe being difficult > to manage in the real world, so I guess my request to consider the > exception for name constrained CAs is not as straightforward as it's in my > head. > > Cheers! > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy