[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Eddy Nigg eddy_nigg at startcom.org
Mon Nov 3 21:44:40 UTC 2014

On 11/03/2014 11:36 PM, Brian Smith wrote:
> On Mon, Nov 3, 2014 at 1:32 PM, Eddy Nigg <eddy_nigg at startcom.org 
> <mailto:eddy_nigg at startcom.org>> wrote:
>     On 11/03/2014 11:20 PM, Brian Smith wrote:
>>     2. Require the revocation of any intermediate certificates that
>>     do not have an EKU extension or have an EKU extension with
>>     anyExtendedKeyUsage and/or have an EKU extension with
>>     id-kp-serverAuth.
>     You must be joking, aren't you? :-)
> Sorry, I omitted a qualifier: "...that do not conform to the BRs (e.g. 
> are not technically constrained or publicly audited)."
> In other words, require the revocation of CA certificates that do not 
> comply with the BRs, if issued by a CA for which the BRs apply. Again, 
> this should already be the case.

Ah, that's something else :-)

Thanks for confirming.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/dbc62789/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/dbc62789/attachment-0001.p7s>

More information about the Public mailing list