On 2010-04-07 01:54 PST, Jean-Marc Desperrier wrote: > Matt McCutchen wrote: >> On Apr 6, 5:54 am, Jean-Marc Desperrier<jmd...@gmail.com> wrote: >>>> Matt McCutchen wrote: >>>>> > An extended key usage of "TLS Web Server Authentication" on the >>>>> > intermediate CA would constrain all sub-certificates, no? >>>> You are here talking about a proprietary Microsoft extension of the X509 >>>> security model. >> No, I'm talking about the "Extended Key Usage" extension defined in >> RFC 5280 section 4.2.1.12. > > I repeat, you *are* talking about a proprietary Microsoft extension, > which is to take into account the EKU inside path validation. > > The EKU as defined in section 4.2.1.12 of RFC 5280 only applies to the > certificate that contains it, it has no effect on certification paths > that include that certificate.
Once RFC 3280 and 5280 were published, that did indeed become the specification of EKU. But long before that, both Netscape (where NSS originated) and Microsoft did just what Matt is describing, and they still do. I can point to some email from former a Microsoft PM (product? project? program? manager) saying that Microsoft adopted it because their competition was already using it, and that Microsoft has no plans to stop it. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto