[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
Eddy Nigg
eddy_nigg at startcom.org
Mon Nov 3 14:44:40 MST 2014
On 11/03/2014 11:36 PM, Brian Smith wrote:
> On Mon, Nov 3, 2014 at 1:32 PM, Eddy Nigg <eddy_nigg at startcom.org
> <mailto:eddy_nigg at startcom.org>> wrote:
>
>
> On 11/03/2014 11:20 PM, Brian Smith wrote:
>> 2. Require the revocation of any intermediate certificates that
>> do not have an EKU extension or have an EKU extension with
>> anyExtendedKeyUsage and/or have an EKU extension with
>> id-kp-serverAuth.
> You must be joking, aren't you? :-)
>
>
> Sorry, I omitted a qualifier: "...that do not conform to the BRs (e.g.
> are not technically constrained or publicly audited)."
>
> In other words, require the revocation of CA certificates that do not
> comply with the BRs, if issued by a CA for which the BRs apply. Again,
> this should already be the case.
Ah, that's something else :-)
Thanks for confirming.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141103/dbc62789/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141103/dbc62789/attachment-0001.bin
More information about the Public
mailing list