<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Rick,<br>
<br>
EKUs are normally used on EE certificates but QCs profile doesn't
use it.<br>
<br>
Below is the allowed KeyUsage bit combinations (just in case) for
signature certs:<br>
<br>
<font color="#000000"><font face="Garamond, serif"><font size="3">NR
DS KE/KA</font></font></font>
<p style="margin-bottom: 0cm; font-weight: normal" lang="lt-LT"><font
color="#000000"><font face="Garamond, serif"><font size="3">+
- -</font></font></font></p>
<font color="#000000"><font face="Garamond, serif"><font size="3">+
+ -</font></font></font><font color="#000000"><font
face="Garamond, serif"><font size="3"><br>
- + -</font></font></font><font color="#000000"><font
face="Garamond, serif"><font size="3"><br>
- + +</font></font></font><font color="#000000"><font
face="Garamond, serif"><font size="3"><br>
- - +</font></font></font><font color="#000000"><font
face="Garamond, serif"><font size="3"><br>
+ + +</font></font></font> <br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 11/4/2014 12:00 AM, Rick Andrews wrote:<br>
</div>
<blockquote
cite="mid:544B0DD62A64C1448B2DA253C011414607D43B6664@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Can
one of our European colleagues comment about Qualified
certs? I seem to recall that was the sticky point when we
last discussed this.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Rick
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Eddy
Nigg<br>
<b>Sent:</b> Monday, November 03, 2014 1:45 PM<br>
<b>To:</b> Brian Smith<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] (Eventually) requiring
id-kpServerAuth for all certs in the chain?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 11/03/2014
11:36 PM, Brian Smith wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On Mon,
Nov 3, 2014 at 1:32 PM, Eddy Nigg <<a
moz-do-not-send="true"
href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">On
11/03/2014 11:20 PM, Brian Smith wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in">2.
Require the revocation of any intermediate
certificates that do not have an EKU
extension or have an EKU extension with
anyExtendedKeyUsage and/or have an EKU
extension with id-kp-serverAuth.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in">You must
be joking, aren't you? :-)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Sorry, I
omitted a qualifier: "...that do not conform to the
BRs (e.g. are not technically constrained or
publicly audited)."<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">In other
words, require the revocation of CA certificates
that do not comply with the BRs, if issued by a CA
for which the BRs apply. Again, this should already
be the case.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in"><br>
Ah, that's something else :-)<br>
<br>
Thanks for confirming.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">-- <o:p></o:p></p>
<table class="MsoNormalTable" style="margin-left:.5in"
cellpadding="0" cellspacing="0" border="0">
<tbody>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Signer: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Eddy Nigg, COO/CTO<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">XMPP: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a moz-do-not-send="true"
href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Blog: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://blog.startcom.org">Join the
Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Twitter: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://twitter.com/eddy_nigg">Follow Me</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:windowtext"><o:p> </o:p></span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>