Russ Housley <[email protected]> wrote: > X.509 and RFC 5280 says that EKU is only useful in end entity certificates.
> The CA/Browser forum says otherwise. They have defined a way for the
> EKU in CA certificates to constrain subordinate certificates.
> I prefer a different approach to such constraints, but when this was
> last discussed, it became clear that no one was going to change their
> code, so I dropped it.
Thank you for this history
> The thread from 2016 starts here:
> https://mailarchive.ietf.org/arch/msg/spasm/0UIEDAEhLK2iHNUhrH6VjDcbHmU/
I think that ietf-uta-tla13-iot will go with no EKUs in certification
authorities: useless bits for constrained IoT networks.
>> On Nov 18, 2024, at 10:28 AM, Michael Richardson <[email protected]>
wrote:
>>
>> Signed PGP part
>>
>> Are Extended Key Usage values meaningful for root and subordinate CA
>> certificates?
>>
>>
https://www.ietf.org/archive/id/draft-ietf-uta-tls13-iot-profile-11.html#name-key-usage
>> and:
>>
https://www.ietf.org/archive/id/draft-ietf-uta-tls13-iot-profile-11.html#name-key-usage-2
>>
>> I think they might be meaningless?
>>
>> --
>> Michael Richardson <[email protected]
<mailto:[email protected]>> . o O ( IPv6 IøT consulting )
>> Sandelman Software Works Inc, Ottawa and Worldwide
>>
>>
>>
>>
> ----------------------------------------------------
> Alternatives:
> ----------------------------------------------------
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Uta mailing list -- [email protected] To unsubscribe send an email to [email protected]
