[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Moudrick M. Dadashov md at ssc.lt
Mon Nov 3 15:24:08 MST 2014 

Rick,

EKUs are normally used on EE certificates but QCs profile doesn't use it.

Below is the allowed KeyUsage bit combinations (just in case) for 
signature certs:

NR DS KE/KA

+ -     -

+ +    -
-     +    -
-     +    +
-     -     +
+   +    +

Thanks,
M.D.

On 11/4/2014 12:00 AM, Rick Andrews wrote:
>
> Can one of our European colleagues comment about Qualified certs? I 
> seem to recall that was the sticky point when we last discussed this.
>
> -Rick
>
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Eddy Nigg
> *Sent:* Monday, November 03, 2014 1:45 PM
> *To:* Brian Smith
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] (Eventually) requiring id-kpServerAuth for 
> all certs in the chain?
>
> On 11/03/2014 11:36 PM, Brian Smith wrote:
>
>     On Mon, Nov 3, 2014 at 1:32 PM, Eddy Nigg <eddy_nigg at startcom.org
>     <mailto:eddy_nigg at startcom.org>> wrote:
>
>     On 11/03/2014 11:20 PM, Brian Smith wrote:
>
>         2. Require the revocation of any intermediate certificates
>         that do not have an EKU extension or have an EKU extension
>         with anyExtendedKeyUsage and/or have an EKU extension with
>         id-kp-serverAuth.
>
>     You must be joking, aren't you? :-)
>
>     Sorry, I omitted a qualifier: "...that do not conform to the BRs
>     (e.g. are not technically constrained or publicly audited)."
>
>     In other words, require the revocation of CA certificates that do
>     not comply with the BRs, if issued by a CA for which the BRs
>     apply. Again, this should already be the case.
>
>
> Ah, that's something else :-)
>
> Thanks for confirming.
>
> -- 
>
> Regards
>
> Signer:
>
> 	
>
> Eddy Nigg, COO/CTO
>
> 	
>
> StartCom Ltd. <http://www.startcom.org>
>
> XMPP:
>
> 	
>
> startcom at startcom.org <xmpp:startcom at startcom.org>
>
> Blog:
>
> 	
>
> Join the Revolution! <http://blog.startcom.org>
>
> Twitter:
>
> 	
>
> Follow Me <http://twitter.com/eddy_nigg>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141104/603d7b6c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3653 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141104/603d7b6c/attachment-0001.bin

More information about the Public mailing list