Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

I support this, as long as Policy CAs meet the same operations standards and have the same issuance restrictions as root CAs. This would result in no real change to policy, as I assume roots not directly included in the Mozilla root store were already considered “roots” for this part of the

Re: Policy 2.7 Proposal: Clarify Section 5.1 ECDSA Curve-Hash Requirements

On Fri, Apr 26, 2019 at 5:39 PM Wayne Thayer wrote: > This does not, however, address the last part of what Brian proposes - >> which is examining if, how many, and which CAs would fail to meet these >> encoding requirements today, either in their roots, subordinates, or leaf >> certificates. >>

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On Fri, Apr 26, 2019 at 7:02 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In version 2.6 of our Root Store Policy, we added the requirement to > section 5.3 that intermediate certificates contain an EKU and separate > serverAuth and emailProtection

AT SSL certificates without the AIA extension

In the course of normal communications with AT, we came across an SSL certificate that did not have the required AIA extension in it on Friday April 16th. We had a conference call shortly thereafter and they verified that one of their current EJBCA certificate profiles is missing this