[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Ryan Sleevi sleevi at google.com
Thu Nov 13 13:53:44 MST 2014


On Thu, Nov 13, 2014 at 12:51 PM, Moudrick M. Dadashov <md at ssc.lt> wrote:

>  It certainly does. I understand folks looking for a programmatic
> discovery of cert types, but still curious why EKU is more appropriate for
> this than any other predefined field that raises no conflict with standards.
>
> Thanks,
> M.D.
>
>
Because it's widely implemented in a variety of libraries and provides
immediate security benefits for clients, and immediate clarifications for
CAs about in scope vs out of scope, and doesn't conflict with any of the
language in RFC 5280 - which, while was accurate at the time it was written
("In general, this doesn't appear in CA certs"), is NOT a prohibition
against it, just an observation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141113/5015daf7/attachment.html 


More information about the Public mailing list