On Tue, 9 Apr 2019 14:07:55 -0400
Ryan Sleevi via dev-security-policy
wrote:
> I think it's merely a misparsing of the description.
>
> The intermediate you referenced - https://crt.sh/?id=197857126 -
> chains to a "root in Mozilla's program with the Websites trust bit
> set". That root is
On Tuesday, April 9, 2019 at 12:08:16 PM UTC-6, Ryan Sleevi wrote:
> On Tue, Apr 9, 2019 at 11:25 AM Nick Lamb via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Mozilla's wiki has a page about the subCAs
> >
> > https://wiki.mozilla.org/CA/Intermediate_Certificates
>
On Tue, Apr 9, 2019 at 11:25 AM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Mozilla's wiki has a page about the subCAs
>
> https://wiki.mozilla.org/CA/Intermediate_Certificates
>
> On that page I see a link labelled:
>
> "Non-revoked, non-expired
On Tue, Apr 9, 2019 at 10:39 AM Lijun Liao wrote:
> Just makes it clear: The extension KeyUsage is optional in subscriber's
> certificate. But what happens if it is present and is NOT critical?
>
RFC 5280 says SHOULD, not MUST. RFC 2119 defines SHOULD as:
3. SHOULD This word, or the
Mozilla's wiki has a page about the subCAs
https://wiki.mozilla.org/CA/Intermediate_Certificates
On that page I see a link labelled:
"Non-revoked, non-expired Intermediate CA Certificates chaining up to
roots in Mozilla's program with the Websites trust bit set"
And clicking that link produces
Just makes it clear: The extension KeyUsage is optional in subscriber's
certificate. But what happens if it is present and is NOT critical?
On Tue, 9 Apr 2019, 16:29 Ryan Sleevi wrote:
> 1. Open
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
> 2. Search for "KeyUsage"
>
1. Open
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
2. Search for "KeyUsage"
- 11 occurrences
#1
7.1.2.1 Root CA Certificate
b. keyUsage
This extension MUST be present and MUST be marked critical ...
#3
7.1.2.2 Subordinate CA Certificate
e. keyUsage
This
The extension KeyUsage in subscriber's certificate SHOULD be marked as
critical as in RFC 5280. What if it is not set? Does this violate the
Baseline Requirements or any rules used by Mozilla Security Policy?
Best regards
Lijun
___
dev-security-policy
8 matches
Mail list logo