On Wed, Apr 24, 2019 at 09:13:31AM +0300, Dimitris Zacharopoulos via dev-security-policy wrote: > I support this update but I am not sure if this is somehow linked with the > scope of the Mozilla Policy. Does this change mean that after April 1, 2020, > any Certificate that does not have an EKU is out of Mozilla Policy scope or > not?
Given that the change doesn't touch section 1.1, it's reasonable to believe that the scope of the policy is not changing. > If this change intends to bring these types of certificates out of scope > after April 1, 2020, we must make this clear and probably also update > section 1.1. My reading of the policy, as amended by this proposal, as well as my understanding of past discussions in this group, is that certificates without an EKU are in scope now, and they will continue to be in scope if this amendment is adopted. The only change is that end-entity certificates without an EKU will be considered misissued if the certificate's notBefore is on or after April 1, 2020. If you feel that the policy, as amended, does not make this state of affairs clear, I'm sure Wayne would welcome suggestions for improvement. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
