<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 11/13/2014 10:53 PM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvbXU5FO2eQvy0PUp6Nw7mp+RpkX9rMUNacYHyWunJJqvw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">Because it's widely implemented in a
variety of libraries and provides immediate security
benefits for clients, and immediate clarifications for CAs
about in scope vs out of scope, and doesn't conflict with
any of the language in RFC 5280 - which, while was accurate
at the time it was written ("In general, this doesn't appear
in CA certs"), is NOT a prohibition against it, just an
observation.</div>
</div>
</div>
</blockquote>
<br>
Yes, but....there is a big BUT that the true meaning of an EKU in a
CA certificate (for that matter in any certificate) will define how
such a certificate can be used. The meaning of id-kpServerAuth is
clearly defined and it's not for the suggested use in CA
certificates as currently proposed. <br>
<br>
Just want to set the record strait as how I read it.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>