Wayne, The Microsoft policy already requires that CAs include EKUs in all EE certificates that chain up to roots in their program. See 4.A.18 in http://aka.ms/RootCert
Effective February 1, 2017, all end-entity certificates must contain the EKU for the purpose that the CA issued the certificate to the customer, and the end-entity certificate may not use "any EKU." I wonder if there roots in the Mozilla program that are not in the MS program that "need" to be issued without EKUs? I'm not sure who can answer that question, but if there are objections by CAs then this is the time they should raise them. Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Wayne Thayer via dev-security-policy Sent: Tuesday, April 2, 2019 5:35 PM To: Brian Smith <br...@briansmith.org> Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates Brian, I think we are in agreement that this isn't a desirable addition to our policy. On Mon, Apr 1, 2019 at 5:36 PM Brian Smith via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> > wrote: > > Here when you say "require EKUs," you mean that you are proposing that > software that uses Mozilla's trust store must be modified to reject > end-entity certificates that do not contain the EKU extension, if the > certificate chains up to the roots in Mozilla's program, right? That would be a logical goal, but I was only contemplating a policy requirement. If so, how > would one implement the "chain[s] up to roots in our program" check? > What's the algorithm? Is that actually well-defined? > > My starting proposal would be to reject all EE certs issued after a certain future date that don't include EKU(s), or that assert anyEKU. If your point is that it's not so simple and that this will break things, I suspect that you are correct. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy