[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
Eddy Nigg
eddy_nigg at startcom.org
Mon Nov 3 14:28:00 MST 2014
On 11/03/2014 11:03 PM, Bruce Morton wrote:
> Sorry, my error. Somehow I got Certificate Policy and EKU mixed up in my mind.
>
> We do limit our intermediate CAs which issue SSL certificates to Server Auth and Client Auth.
Just for the record this is nowhere defined in any RFC - id-kpServerAuth
is usually for end-user certificates indicating support for
server-authentication. An intermediate CA with id-kpServerAuth could be
also used for server-authentication if it has other EKUs, but it doesn't
limit issuance to lets say code signing certificates.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141103/47ad6c3c/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141103/47ad6c3c/attachment.bin
More information about the Public
mailing list