[cabfpub] SHA-1 changes and certificate lifetimes

Rick Andrews Rick_Andrews at symantec.com
Wed Nov 13 11:01:53 MST 2013


> I am pretty sure that we will discover that there are non-browser
> applications of certs that cause some people to ask for exceptions.

No doubt, but I think we have at least two workable solutions that came out of the 1024-bit phaseout:

1) Sign such non-browser certs with a new intermediate CA that is blacklisted in all browsers.

2) Issue such non-browser certs without the serverAuth EKU and with a critical custom EKU. That should cause all browsers to reject them as not suitable for use with a browser. This option works for non-browser apps that can't handle chaining, as long as they ignore what's in the EKU. We're experimenting now to see how successful this approach will be.

-Rick






More information about the Public mailing list