<div dir="ltr">Make that 42.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 4, 2021 at 8:45 AM Ben Wilson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Add 33 more that I didn't count that had the serverAuth, timeStamping, codeSigning, and OCSP signing EKUs in them.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 4, 2021 at 8:41 AM Ben Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div><font size="2">I just posted a CCADB report here: <a href="https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/6IegfqONu7c/m/ofXETowrAgAJ" target="_blank">https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/6IegfqONu7c/m/ofXETowrAgAJ </a><br></font></div><div><font size="2"><br></font></div><div><font size="2">I counted 445 CA certificates with the emailProtection EKU. <br></font></div><div><font size="2"><br></font></div><div>













<table style="border-collapse:collapse;width:494pt" width="659" cellspacing="0" cellpadding="0" border="0">

 <colgroup><col style="width:444pt" width="592">
 <col style="width:50pt" width="67">
 </colgroup><tbody><tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;width:444pt;font-weight:700;border:0.5pt solid windowtext;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" width="592" height="19"><font size="2">S/MIME</font></td>
  <td style="border-color:windowtext windowtext windowtext currentcolor;border-style:solid solid solid none;border-width:0.5pt 0.5pt 0.5pt medium;width:50pt;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" width="67"><font size="2"> </font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,
  clientAuth</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">319</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">18</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,AuthenticDocumentsTrust</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">3</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,BitLocker,MS-docSigning,EFSRecovery,EFS,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,caExchange,keyRecoveryAgent</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">9</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,digitalPersona</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,EFS</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">4</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,EFS,MS-docSigning</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,EFS,MS-docSigning,Smartcardlogon,PIV-cardAuth,pivi-content-signing</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,EFS,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">2</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,EFS,Smartcardlogon,MS-docSigning,AuthenticDocumentsTrust</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">5</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,EFSRecovery,EFS,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">2</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,IPSECUser,Smartcardlogon,EFS,keyRecoveryAgent,MS-docSigning,ipsecIKE</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,MS-docSigning</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">41</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,MS-docSigning,AuthenticDocumentsTrust,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,MS-docSigning,EFS</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">3</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,MS-docSigning,EFS,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,MS-docSigning,Entrust-docSigning</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">4</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">clientAuth,emailProtection,Smartcardlogon,EFS,EFSRecovery,BitLocker</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,BitLocker,EFSRecovery,EFS</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,caExchange</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,caExchange,keyRecoveryAgent</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">10</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,clientAuth,EntrustEvent,EntrustUnknown,Smartcardlogon</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,clientAuth,IPSECUser,EFS,EFSRecovery,MSkeyRecovery,enrollmentAgent,Smartcardlogon,PASSIM</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,clientAuth,Smartcardlogon,EFS,EFSRecovery,BitLocker</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,clientAuth,Smartcardlogon,MS-docSigning</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">1</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,MS-docSigning</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">3</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">emailProtection,MS-docSigning,AuthenticDocumentsTrust</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-weight:400;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">6</font></td>
 </tr>
 <tr style="height:14.4pt" height="19">
  <td style="height:14.4pt;border-color:currentcolor windowtext windowtext;border-style:none solid solid;border-width:medium 0.5pt 0.5pt;font-weight:700;text-align:left;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" height="19"><font size="2">S/MIME Total</font></td>
  <td style="border-color:currentcolor windowtext windowtext currentcolor;border-style:none solid solid none;border-width:medium 0.5pt 0.5pt medium;font-weight:700;padding-top:1px;padding-right:1px;padding-left:1px;color:black;font-style:normal;text-decoration:none;font-family:Calibri,sans-serif;vertical-align:bottom;white-space:nowrap" align="right"><font size="2">445</font></td>
 </tr>

</tbody></table>



</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 7, 2021 at 11:45 AM Corey Bonnell via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div><p class="MsoNormal">Hello,<u></u><u></u></p><p class="MsoNormal">To help facilitate the discussion on EKUs allowed for the various profiles, I downloaded all S/MIME ICAs trusted by Mozilla according to Censys.io and sorted the occurrence of EKUs that appear in the ICAs. I have filtered out ICA certificates that are revoked by CRL.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">E-mail Protection: 414<u></u><u></u></p><p class="MsoNormal">TLS Web Client Authentication: 368<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.10.3.12</a>: 82<u></u><u></u></p><p class="MsoNormal">Microsoft Encrypted File System: 38<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.21.5" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.21.5</a>: 29<u></u><u></u></p><p class="MsoNormal">OCSP Signing: 27<u></u><u></u></p><p class="MsoNormal">Microsoft Smartcard Login: 26<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.21.6" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.21.6</a>: 26<u></u><u></u></p><p class="MsoNormal">TLS Web Server Authentication: 20<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.2.840.113583.1.1.5" target="_blank">http://oid-info.com/get/1.2.840.113583.1.1.5</a>: 13<u></u><u></u></p><p class="MsoNormal">Time Stamping: 12<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.10.3.4.1</a>: 11<u></u><u></u></p><p class="MsoNormal">Code Signing: 9<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.20.2.1</a>: 7<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.10.3.11</a>: 6<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.21.19" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.21.19</a>: 6<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.5.5.7.3.14" target="_blank">http://oid-info.com/get/1.3.6.1.5.5.7.3.14</a>: 4<u></u><u></u></p><p class="MsoNormal">IPSec User: 4<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.311.67.1.1</a>: 3<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/2.16.840.1.114027.40.3" target="_blank">http://oid-info.com/get/2.16.840.1.114027.40.3</a>: 1<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/2.16.840.114027.40.4" target="_blank">http://oid-info.com/get/2.16.840.114027.40.4</a>: 1<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/2.16.840.1.114027.40.11" target="_blank">http://oid-info.com/get/2.16.840.1.114027.40.11</a>: 1<u></u><u></u></p><p class="MsoNormal">ipsec Internet Key Exchange: 1<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.4.1.29452.1.1" target="_blank">http://oid-info.com/get/1.3.6.1.4.1.29452.1.1</a>: 1<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/1.3.6.1.5.5.8.2.2" target="_blank">http://oid-info.com/get/1.3.6.1.5.5.8.2.2</a>: 1<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/2.16.840.1.101.3.6.8" target="_blank">http://oid-info.com/get/2.16.840.1.101.3.6.8</a>: 1<u></u><u></u></p><p class="MsoNormal"><a href="http://oid-info.com/get/2.16.840.1.101.3.8.7" target="_blank">http://oid-info.com/get/2.16.840.1.101.3.8.7</a>: 1<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Given the wide variety of EKUs included in ICAs today, I believe it makes sense to be permissive for the legacy profile and allow any EKU value to appear alongside emailProtection. For the multi-purpose profile, we may want to permit document signing, client authentication, and other related client-centric functionality (encrypting file system, etc.) but prohibit EKUs that don’t fall into “end-user client machine” usages, such as timeStamping or codeSigning. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">If anyone wants to perform their own investigation, this is the Censys query used to generate the list of ICAs: <u></u><u></u></p><p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New"">((validation.nss.valid: true and parsed.extensions.extended_key_usage.email_protection: true) AND tags.raw: "trusted") AND parsed.extensions.basic_constraints.is_ca: true<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:10pt;font-family:"Courier New""><u></u> <u></u></span></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal">Corey<span style="font-size:10pt;font-family:"Courier New""><u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p></div></div>_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
</blockquote></div></div>
</blockquote></div></div>
_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
</blockquote></div>