On 18/11/2016 5:34 μμ, Rob Stradling via Public wrote:
On 18/11/16 15:26, Gervase Markham wrote:
On 18/11/16 15:04, Rob Stradling wrote:
crt.sh currently has 302 CA certificates that contain the
id-kp-clientAuth EKU OID
I think you mean id-kp-emailProtection here, from your figures...
Yeah, I did. Sorry about that.
and that are trusted by Microsoft and/or> Mozilla and/or Apple.
Here's a summary of the EKU OIDs contained in those 302 intermediate
certs:
count | x509_extkeyusages | purpose
-------+--------------------------+--------------------------------
302 | 1.3.6.1.5.5.7.3.4 | id-kp-emailProtection
284 | 1.3.6.1.5.5.7.3.2 | id-kp-clientAuth
104 | 1.3.6.1.5.5.7.3.1 | id-kp-serverAuth
People make certs usable for both serverAuth and email/clientAuth? :-|
Sadly. Do you want any more details?
60 | 1.3.6.1.5.5.7.3.9 | id-kp-OCSPSigning
Wait, what?
Depressing, isn't it.
Others have already replied so I will not state what's already been
said. It may be strange to see an end-entity certificate with both these
EKUs (serverAuth and emailProtection). However, the BRs allow it
(Section 7.1.2.3 "Either the value id‐kp‐serverAuth [RFC5280] or
id‐kp‐clientAuth [RFC5280] or both values MUST be present.
id‐kp‐emailProtection [RFC5280] MAY be present. Other values SHOULD NOT
be present. ").
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
