[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Rick Andrews Rick_Andrews at symantec.com
Mon Nov 3 22:00:26 UTC 2014

Can one of our European colleagues comment about Qualified certs? I seem to recall that was the sticky point when we last discussed this.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg
Sent: Monday, November 03, 2014 1:45 PM
To: Brian Smith
Subject: Re: [cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

On 11/03/2014 11:36 PM, Brian Smith wrote:
On Mon, Nov 3, 2014 at 1:32 PM, Eddy Nigg <eddy_nigg at startcom.org<mailto:eddy_nigg at startcom.org>> wrote:

On 11/03/2014 11:20 PM, Brian Smith wrote:
2. Require the revocation of any intermediate certificates that do not have an EKU extension or have an EKU extension with anyExtendedKeyUsage and/or have an EKU extension with id-kp-serverAuth.
You must be joking, aren't you? :-)

Sorry, I omitted a qualifier: "...that do not conform to the BRs (e.g. are not technically constrained or publicly audited)."

In other words, require the revocation of CA certificates that do not comply with the BRs, if issued by a CA for which the BRs apply. Again, this should already be the case.

Ah, that's something else :-)

Thanks for confirming.


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141103/28012875/attachment-0003.html>

More information about the Public mailing list