[cabfpub] Name Constraints, Auditing and EKU

Rob Stradling rob.stradling at comodo.com
Tue Apr 23 10:13:52 UTC 2013

On 22/04/13 20:49, Brown, Wendy (10421) wrote:
> I disagree with the statement it is too late to try to stop the proliferation of trying to do technical constraints on CAs using EKU in violation of the intent of RFC 5280.

Wendy, you are welcome to try.  Maybe you will succeed where others have 

Even Microsoft, the architects of "EKU constraints", were unsuccessful 
when they tried to move to an alternative mechanism that didn't violate 
the intent of RFC5280.  See...
See http://www.ietf.org/mail-archive/web/pkix/current/msg32431.html

> The FPKI is one large community of PKIs that will opt for publicly disclosed and audited rather than the technical constraints Mozilla is trying to impose because that model doesn't really work with our community and we already require audit of all subordinate CAs.
>     wendy

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list