[cabfpub] Name Constraints, Auditing and EKU

Rob Stradling rob.stradling at comodo.com
Tue Apr 23 20:46:03 UTC 2013


On 23/04/13 21:01, Carl Wallace wrote:
> On 4/23/13 3:58 PM, "Rob Stradling" <rob.stradling at comodo.com> wrote:
>
>>
>> Agreed.  That's why I tried (unsuccessfully) to persuade Mozilla to
>> require the use of the Netscape Cert Type extension instead of "EKU
>> constraints" (this was last year when the "technically constrained"
>> language in the current version of the Mozilla CA Policy was being put
>> together).
>
> Is there a specification that defines how "EKU constraints" work?

I'm not aware of any single definitive spec, but here are a few useful 
links...

Section 9 of 
http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html

http://technet.microsoft.com/en-us/library/cc731792(v=ws.10).aspx

http://unmitigatedrisk.com/?p=57

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list