[cabfpub] Must Staple and BR Issue 7
Adam Langley
agl at google.com
Mon Nov 5 12:46:54 UTC 2012
On Sun, Nov 4, 2012 at 5:32 PM, Ben Wilson <ben at digicert.com> wrote:
> If we were to revise Appendix B of the Baseline Requirements, as outlined in
> the proposed ballot to address BR Issue #7 (relined version attached, but
> not fully endorsed yet for vote), would it make sense to amend section F of
> Subscriber Certificates (extKeyUsage) (which currently says, "Either the
> value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both
> values MUST be present. id-kp-emailProtection [RFC5280] MAY be present") to
> also say that, in addition emailProtection, the CABF extKeyUsage OID for
> must-staple (2.23.140.16.1) MAY be present? (Even if it had to be proposed
> as its own separate ballot because it is not in direct response to the BR
> Issue#7? Or is it substantially related enough?) After reviewing this
> attachment, are there any endorsers, or persons who would endorse if
> modifications were made?
I thought we figured that it was going to be an extension, not a
keyUsage? The keyUsage was easier for some CAs to issue, but the
feeling that I got was that people didn't like overloading the
meaning. There's also that problem that keyUsage, in reality, is
defined as a scope down the chain. (i.e. that the keyUsage would have
to be permitted all the way to the root.)
Cheers
AGL
More information about the Public
mailing list