Matt McCutchen wrote:
On Apr 6, 5:54 am, Jean-Marc Desperrier<jmd...@gmail.com> wrote:
> Matt McCutchen wrote:
> > An extended key usage of "TLS Web Server Authentication" on the
> > intermediate CA would constrain all sub-certificates, no?
>
> You are here talking about a proprietary Microsoft extension of the X509
> security model.
No, I'm talking about the "Extended Key Usage" extension defined in
RFC 5280 section 4.2.1.12.
I repeat, you *are* talking about a proprietary Microsoft extension,
which is to take into account the EKU inside path validation.
The EKU as defined in section 4.2.1.12 of RFC 5280 only applies to the
certificate that contains it, it has no effect on certification paths
that include that certificate.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
