Wayne Thayer於 2019年3月30日星期六 UTC+8上午4時48分27秒寫道: > The BRs require EKUs in leaf TLS certs, but there is no equivalent > requirement for S/MIME certificates. This leads to confusion such as [1] in > which certificates that are not intended for TLS or S/MIME fall within the > scope of our policies. > > Simply requiring EKUs in S/MIME certificates won't solve the problem unless > we are willing to exempt certificates without an EKU from our policies, and > doing that would create a rather obvious loophole for issuing S/MIME > certificates that don't adhere to our policies. > > The proposed solution is to require EKUs in all certificates that chain up > to roots in our program, starting on some future effective date (e.g. April > 1, 2020). This has the potential to cause some compatibility problems that > would be difficult to measure and assess. Before drafting language for this > proposal, I would like to gauge everyone's support for this proposal. > > Alternately, we could easily argue that section 1.1 of our existing policy > already makes it clear that CAs must include EKUs other than > id-kp-serverAuth and id-kp-emailProtection in certificates that they wish > to remain out of scope for our policies. > > This is https://github.com/mozilla/pkipolicy/issues/163 > > I will greatly appreciate everyone's input on this topic. > > - Wayne > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1523221
GPKI(Taiwan) will follow Mozilla policy to add EKU to EE certificates However, the influence range of implementation is very large. We need to define our own Document Signing EKU and data encryption EKU, and coordinate all subordinate Cas(Five CAs) and application system’s owners(more than 2,000 application systems). It needs a whole year to implement this. Therefore, after multiple evaluations, it is decided to officially add the EKU to the user certificate on January 1, 2021. It is difficult for us to complete ahead of April 2020. Can we get more buffer? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
