On Tuesday, April 2, 2019 at 9:36:06 AM UTC+9, Brian Smith wrote: > I agree the requirements are already clear. The problem is not the clarity > of the requirements. Anybody can define a new EKU because EKUs are listed > in the certificate by OIDs, and anybody can make up an EKU. A standard > isn't required for a new OID. Further, not agreeing on a specific EKU OID > for a particular kind of usage is poor practice, and we should discourage > that poor practice. >
It is good that anyone can make OID, so we do not need to violate policy. However, I have following concerns with increasing private OIDs in the world. -I think that OID should be CA’s private OID or public OID. because, in the case of a CA is going to out of business, and that business was cared by another CA, we would not want those two CA using same OID for different usage. -In the other hand, CA’s private OIDs will reduce interoperability, which seems to be problematic, -web browser might just ignore private OIDs, but I am not sure other certificate verification applications, which is used for certificate of that private EKU OID. over all, I think we should have some kind of public OIDs, at least for widely use purpose. I believe if it were used for internet, we can write Internet-Draft, and ask OIDs on RFC3280 EKU repo. #I am planing to try that. Tadahiko Ito _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy