[cabfpub] SHA-1 changes and certificate lifetimes

Rick Andrews Rick_Andrews at symantec.com
Wed Nov 13 18:01:53 UTC 2013

> I am pretty sure that we will discover that there are non-browser
> applications of certs that cause some people to ask for exceptions.

No doubt, but I think we have at least two workable solutions that came out of the 1024-bit phaseout:

1) Sign such non-browser certs with a new intermediate CA that is blacklisted in all browsers.

2) Issue such non-browser certs without the serverAuth EKU and with a critical custom EKU. That should cause all browsers to reject them as not suitable for use with a browser. This option works for non-browser apps that can't handle chaining, as long as they ignore what's in the EKU. We're experimenting now to see how successful this approach will be.


More information about the Public mailing list