> On 18 Nov 2016, at 7:26 am, Gervase Markham via Public <[email protected]> > wrote: > > On 18/11/16 15:04, Rob Stradling wrote: >> crt.sh currently has 302 CA certificates that contain the >> id-kp-clientAuth EKU OID > > I think you mean id-kp-emailProtection here, from your figures... > >> and that are trusted by Microsoft and/or >> Mozilla and/or Apple. >> >> Here's a summary of the EKU OIDs contained in those 302 intermediate certs: >> >> count | x509_extkeyusages | purpose >> -------+--------------------------+-------------------------------- >> 302 | 1.3.6.1.5.5.7.3.4 | id-kp-emailProtection >> 284 | 1.3.6.1.5.5.7.3.2 | id-kp-clientAuth >> 104 | 1.3.6.1.5.5.7.3.1 | id-kp-serverAuth > > People make certs usable for both serverAuth and email/clientAuth? :-|
Yes, it’s quite common to have both serverAuth and clientAuth on the same certificate, for use in machine-to-machine communication where all connections are authenticated in both directions. I’m not sure about both serverAuth and email…
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
