The BRs require EKUs in leaf TLS certs, but there is no equivalent requirement for S/MIME certificates. This leads to confusion such as [1] in which certificates that are not intended for TLS or S/MIME fall within the scope of our policies.
Simply requiring EKUs in S/MIME certificates won't solve the problem unless we are willing to exempt certificates without an EKU from our policies, and doing that would create a rather obvious loophole for issuing S/MIME certificates that don't adhere to our policies. The proposed solution is to require EKUs in all certificates that chain up to roots in our program, starting on some future effective date (e.g. April 1, 2020). This has the potential to cause some compatibility problems that would be difficult to measure and assess. Before drafting language for this proposal, I would like to gauge everyone's support for this proposal. Alternately, we could easily argue that section 1.1 of our existing policy already makes it clear that CAs must include EKUs other than id-kp-serverAuth and id-kp-emailProtection in certificates that they wish to remain out of scope for our policies. This is https://github.com/mozilla/pkipolicy/issues/163 I will greatly appreciate everyone's input on this topic. - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1523221 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy