[cabfpub] Must Staple and BR Issue 7

Adam Langley agl at google.com
Mon Nov 5 12:46:54 UTC 2012

On Sun, Nov 4, 2012 at 5:32 PM, Ben Wilson <ben at digicert.com> wrote:
> If we were to revise Appendix B of the Baseline Requirements, as outlined in
> the proposed ballot to address BR Issue #7 (relined version attached, but
> not fully endorsed yet for vote), would it make sense to amend section F of
> Subscriber Certificates (extKeyUsage) (which currently says, "Either the
> value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both
> values MUST be present.  id-kp-emailProtection [RFC5280] MAY be present") to
> also say that, in addition emailProtection, the CABF extKeyUsage OID for
> must-staple ( MAY be present?  (Even if it had to be proposed
> as its own separate ballot because it is not in direct response to the BR
> Issue#7? Or is it substantially related enough?)  After reviewing this
> attachment, are there any endorsers, or persons who would endorse if
> modifications were made?

I thought we figured that it was going to be an extension, not a
keyUsage? The keyUsage was easier for some CAs to issue, but the
feeling that I got was that people didn't like overloading the
meaning. There's also that problem that keyUsage, in reality, is
defined as a scope down the chain. (i.e. that the keyUsage would have
to be permitted all the way to the root.)



More information about the Public mailing list