[cabfpub] Name Constraints, Auditing and EKU
Rob Stradling
rob.stradling at comodo.com
Tue Apr 23 10:13:52 UTC 2013
On 22/04/13 20:49, Brown, Wendy (10421) wrote:
> I disagree with the statement it is too late to try to stop the proliferation of trying to do technical constraints on CAs using EKU in violation of the intent of RFC 5280.
Wendy, you are welcome to try. Maybe you will succeed where others have
failed.
Even Microsoft, the architects of "EKU constraints", were unsuccessful
when they tried to move to an alternative mechanism that didn't violate
the intent of RFC5280. See...
See http://www.ietf.org/mail-archive/web/pkix/current/msg32431.html
> The FPKI is one large community of PKIs that will opt for publicly disclosed and audited rather than the technical constraints Mozilla is trying to impose because that model doesn't really work with our community and we already require audit of all subordinate CAs.
>
> wendy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list