[cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Gervase Markham gerv at mozilla.org
Thu Aug 8 08:58:32 UTC 2013

On 07/08/13 18:59, Ryan Sleevi wrote:
> All we're talking about is what the cert validation library (*not* the
> SSL library) will do if it sees a cert with SGC EKUs, but no Server
> Auth / Client Auth EKUs.
> The cited libraries will all treat the SGC EKUs as equivalent to
> Server Auth in that case. As such, certs with SGC EKUs would need to
> be in scope, because they'd be technically possible to be used as
> server certs.

Ah, I see. Thanks for clarifying. That makes sense.

Are there certs out there today which have SGC EKUs and _not_ the
standard server EKU? What would break if NSS stopped treating the SGC
EKU as equivalent to a server EKU?


More information about the Public mailing list