[cabfpub] SHA-1 changes and certificate lifetimes
Rick Andrews
Rick_Andrews at symantec.com
Wed Nov 13 11:01:53 MST 2013
> I am pretty sure that we will discover that there are non-browser
> applications of certs that cause some people to ask for exceptions.
No doubt, but I think we have at least two workable solutions that came out of the 1024-bit phaseout:
1) Sign such non-browser certs with a new intermediate CA that is blacklisted in all browsers.
2) Issue such non-browser certs without the serverAuth EKU and with a critical custom EKU. That should cause all browsers to reject them as not suitable for use with a browser. This option works for non-browser apps that can't handle chaining, as long as they ignore what's in the EKU. We're experimenting now to see how successful this approach will be.
-Rick
More information about the Public
mailing list