Brian, I think we are in agreement that this isn't a desirable addition to our policy.
On Mon, Apr 1, 2019 at 5:36 PM Brian Smith via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> > wrote: > > Here when you say "require EKUs," you mean that you are proposing that > software that uses Mozilla's trust store must be modified to reject > end-entity certificates that do not contain the EKU extension, if the > certificate chains up to the roots in Mozilla's program, right? That would be a logical goal, but I was only contemplating a policy requirement. If so, how > would one implement the "chain[s] up to roots in our program" check? What's > the algorithm? Is that actually well-defined? > > My starting proposal would be to reject all EE certs issued after a certain future date that don't include EKU(s), or that assert anyEKU. If your point is that it's not so simple and that this will break things, I suspect that you are correct. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy