Unless there is further discussion, I will consider this issue closed with
the following change to section 5.3, meaning that it applies to both
unconstrained and technically constrained intermediates:
Subordinate CA certificates created after January 1, 2019:
* MUST contain an EKU extension; and,
> I'd recommend making a requirement that it be "protected" by at least as
many
> bits of strength as the key it protects. Not doing so could cause
compliance
> issues: things like PCI [1] and the NIST [2] recommendations require this
type of
> protection.
You don't have compliance problems
2 matches
Mail list logo
