Wayne,
The Microsoft policy already requires that CAs include EKUs in all EE
certificates that chain up to roots in their program. See 4.A.18 in
http://aka.ms/RootCert
Effective February 1, 2017, all end-entity certificates must contain the EKU
for the purpose that the CA issued the certifica
Hi Wayne,
Sorry about the delay in getting back to you. This first round of CA
notifications went out at approximately 10AM Eastern time on March 25, 2019.
I just sent out a new set of notifications. This time the notifications
were limited only currently-valid certificates, as expired-cert
not
All,
As you know, CAs who currently have access to the CCADB are now able to
directly enter and update their Root Inclusion Cases [1].
I would like to extend this capability to new CAs, so I propose that we
add the description in the following document to a web page in
https://ccadb.org/cas/
A number of ECC certificates that fail to meet the requirements of policy
section 5.1 were recently reported [1]. There was a lack of awareness that
Mozilla policy is more strict than the BRs in this regard. I've attempted
to address that by adding this to the list of "known places where this
polic
Thanks for raising this, Wayne.
As mentioned on the issue, this heavily overlaps with the RSA combinations
- and, of course, Mozilla policy being more strict than the BRs in
forbidding DSA.
Given that CAs have struggled with the relevant encodings, both for the
signatureAlgorithm and the subjectP
Wayne Thayer wrote:
> On Mon, Apr 1, 2019 at 5:36 PM Brian Smith via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Here when you say "require EKUs," you mean that you are proposing that
>> software that uses Mozilla's trust store must be modified to reject
>> end-enti
6 matches
Mail list logo