[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Ryan Sleevi sleevi at google.com
Wed Aug 7 17:59:13 UTC 2013

On Wed, Aug 7, 2013 at 6:57 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 29/07/13 22:18, Eddy Nigg (StartCom Ltd.) wrote:
>> No, I'm not sure about Apple, but NSS has disabled it entirely for
>> Netscape Server Gated Cryptography and Microsoft Server Gated
>> Cryptography was never relevant for them.
> https://bugzilla.mozilla.org/show_bug.cgi?id=476807 set the SGC bits to
> FALSE (even though they had not been honoured for a long time) to try
> and avoid people claiming NSS still "supported" this.


That removed special trust bits for *performing* SGC. However, certs
with the SGC EKUs are treated "as if" they had the server EKU.

> Ryan: what does Android do with them? What SSL library is in use there?

Again, no SGC/step-up is performed.

All we're talking about is what the cert validation library (*not* the
SSL library) will do if it sees a cert with SGC EKUs, but no Server
Auth / Client Auth EKUs.

The cited libraries will all treat the SGC EKUs as equivalent to
Server Auth in that case. As such, certs with SGC EKUs would need to
be in scope, because they'd be technically possible to be used as
server certs.

> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list