On 17/11/16 13:58, Rob Stradling wrote: > I was mostly just wearing my "please don't create unnecessary extra work > for CAs" hat. > > However, let's not forget that it's arguably a violation of RFC5280 to > (ab)use the EKU extension in intermediate certs as a constraint > mechanism. It's definitely conceivable that there are some modern > applications that don't process the EKU extension in intermediate certs, > but which do blow up when they encounter a critical extension that they > don't process.
Yeah, OK. Fair enough. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
