[cabfpub] FW: [cabfman] BR effective date

Jeremy Rowley jeremy.rowley at digicert.com
Fri Dec 20 15:57:48 UTC 2013

Thanks Erwann - I've moved this to the public mailing list. Replies are
in-line and marked with [JR].	

>If a certificate happens to have BasicConstraints:CA=true, then it's a CA
cert, period.
[JR] No dispute here.

>If a certificate has a serverAuth EKU, then it's a TLS server cert. With
compliant content, it's also an EV certificate.
[JR] serverAuth is the easy case, although someone may disagree since
community device certs require this EKU.  The hard case is anyEKU or where
the EKU is omitted.

>If a certificate follows QC profile, then it's a QC certificate.
[JR] But QC does not preclude a server cert.

>If nothing forbids combinations, a certificate could be QC+EV+CA. And of
course subject to subsequent constraints/rules.
[JR] The problem is anyEKU or omitted EKUs.  In that case it could be a
server Cert.  From what I understand, QCs do not contain a domain name in
the CN (they have the name of the individual).  Therefore, they are not BR
compliant, despite the face they can be used for server authentication.

More information about the Public mailing list