<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 11/03/2014 11:36 PM, Brian Smith
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAFewVt50Nw12XOj19y_bgdpGkYCqKWHXOqXsr45nafZD6BF1=w@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">On Mon, Nov 3, 2014 at 1:32 PM, Eddy
            Nigg <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000"><span class=""> <br>
                  <div>On 11/03/2014 11:20 PM, Brian Smith wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_extra">
                        <div class="gmail_quote">2. Require the
                          revocation of any intermediate certificates
                          that do not have an EKU extension or have an
                          EKU extension with anyExtendedKeyUsage and/or
                          have an EKU extension with id-kp-serverAuth.</div>
                      </div>
                    </div>
                  </blockquote>
                </span> You must be joking, aren't you? :-)</div>
            </blockquote>
            <div><br>
            </div>
            <div>Sorry, I omitted a qualifier: "...that do not conform
              to the BRs (e.g. are not technically constrained or
              publicly audited)."</div>
            <div><br>
            </div>
            <div>In other words, require the revocation of CA
              certificates that do not comply with the BRs, if issued by
              a CA for which the BRs apply. Again, this should already
              be the case.<br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Ah, that's something else :-)<br>
    <br>
    Thanks for confirming.<br>
    <br>
    <div class="moz-signature">-- <br>
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td colspan="2">Regards </td>
          </tr>
          <tr>
            <td colspan="2"> </td>
          </tr>
          <tr>
            <td>Signer: </td>
            <td>Eddy Nigg, COO/CTO</td>
          </tr>
          <tr>
            <td> </td>
            <td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
          </tr>
          <tr>
            <td>XMPP: </td>
            <td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
          </tr>
          <tr>
            <td>Blog: </td>
            <td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
          </tr>
          <tr>
            <td>Twitter: </td>
            <td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
          </tr>
          <tr>
            <td colspan="2"> </td>
          </tr>
        </tbody>
      </table>
    </div>
  </body>
</html>