[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Gervase Markham gerv at mozilla.org
Mon Nov 3 19:45:36 UTC 2014

Hi everyone,

I wonder if the BRs should say that all non-root certs in a chain issued
for SSL server use, which were issued after <date>, should have EKU
id-kpServerAuth in them. Date would be, say, six months from now.

This is primarily aimed at intermediates; EE certs all currently have
this anyway. It would mean that, over time (years) as intermediates got
replaced, we could eventually move to a position where it was entirely
clear what certs were intended for Web PKI SSL use and what certs were not.

Currently, any intermediate in the world issued by a publicly-trusted
root can issue for SSL, even those intermediates which are not intended
for such use. This leads to numerous problems, including the question of
whether such intermediates need to be covered by a BR audit. Once this
change had filtered through, it would be clear - they would not be.

AIUI, EKU "chaining" (i.e. requiring an EKU to be present all the way up
the chain) is not standard, but is implemented in NSS and elsewhere.

I know this is a thing which only pays off in the long term, but I still
think it's worth it. Does this make any sense, or have I missed
something obvious? :-)


More information about the Public mailing list