Sorry - I mixed points on that email. The concern with serverAuth is not
related to technically constrained intermediates. Instead, the potential
conflict is with Things for CAs to Fix found at
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_
to_Fix
The text:
1. All
On 5/13/2014 6:26 PM, Jeremy Rowley wrote:
During the CAB Forum discussion on this issue, someone brought up that
Qualified Certs in the EU are supposed to have either the anyEKU present or
omit the EKU. I think the post originated from Chema Gonzalez, but I'll let
him confirm. I'm not sure
That actually clears things up. Intermediate certs aren't required to have
an EKU but, if they do and the intermediate will be used for SSL, they must
have the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU.
Thanks Kathleen!
Jeremy
-Original Message-
From: dev-security-policy
On 5/13/14, 8:46 AM, Jeremy Rowley wrote:
That actually clears things up. Intermediate certs aren't required to have
an EKU but, if they do and the intermediate will be used for SSL, they must
have the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU.
I think I understand the concern now.
I have
On 05/13/2014 06:48 AM, Peter Bowen wrote:
I think the biggest question probably is id-kp-clientAuth. From a
quick scan of the NSS certdb code, it seems that setting this EKU in a
CA cert would allow it to issue serverAuth and emailProtection certs.
Therefore it would seem reasonable to
I have sent the CA Communication.
A copy of it will remain here:
https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
Thanks to all of you who contributed to the discussions about this
communication.
Kathleen
___
dev-security-policy mailing
On 5/13/2014 8:46 PM, Kathleen Wilson wrote:
On 5/13/14, 8:46 AM, Jeremy Rowley wrote:
That actually clears things up. Intermediate certs aren't required to
have
an EKU but, if they do and the intermediate will be used for SSL,
they must
have the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU.
On 13/05/14 21:41, Moudrick M. Dadashov wrote:
snip
1. All new intermediate certificates that include the EKU extension
and will be used for SSL certificate issuance, must include the
id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop
recognizing the Netscape Server Gated Crypto
Hi Rob, thanks, good news for us :)
M.D.
On 5/13/2014 11:52 PM, Rob Stradling wrote:
On 13/05/14 21:41, Moudrick M. Dadashov wrote:
snip
1. All new intermediate certificates that include the EKU extension
and will be used for SSL certificate issuance, must include the
id-kp-serverAuth
On 5/13/14, 1:13 PM, Kathleen Wilson wrote:
I have sent the CA Communication.
A copy of it will remain here:
https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
Thanks to all of you who contributed to the discussions about this
communication.
Kathleen
Also posted a security blog
On Tue, May 13, 2014 at 11:45 AM, David Keeler dkee...@mozilla.com wrote:
On 05/13/2014 06:48 AM, Peter Bowen wrote:
I think the biggest question probably is id-kp-clientAuth. From a
quick scan of the NSS certdb code, it seems that setting this EKU in a
CA cert would allow it to issue
11 matches
Mail list logo