[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Eddy Nigg eddy_nigg at startcom.org
Mon Nov 3 21:28:00 UTC 2014

On 11/03/2014 11:03 PM, Bruce Morton wrote:
> Sorry, my error. Somehow I got Certificate Policy and EKU mixed up in my mind.
> We do limit our intermediate CAs which issue SSL certificates to Server Auth and Client Auth.

Just for the record this is nowhere defined in any RFC - id-kpServerAuth 
is usually for end-user certificates indicating support for 
server-authentication. An intermediate CA with id-kpServerAuth could be 
also used for server-authentication if it has other EKUs, but it doesn't 
limit issuance to lets say code signing certificates.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/47ad6c3c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/47ad6c3c/attachment-0001.p7s>

More information about the Public mailing list