[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Gervase Markham gerv at mozilla.org
Tue Nov 4 10:03:11 UTC 2014

Hi Brian,

One of the (unstated, I guess) assumptions in my proposal is that
telling all the CAs to go out and reissue all or most of their
intermediates won't fly. Do you agree with that?

On 03/11/14 21:20, Brian Smith wrote:
> 1. Require all intermediate certificates that are NOT to be subject to
> the BRs to include an EKU extension which does NOT include
> ip-kp-serverAuth or anyExtendedKeyUsage.
> 2. Require the revocation of any intermediate certificates that do not
> have an EKU extension or have an EKU extension with anyExtendedKeyUsage
> and/or have an EKU extension with id-kp-serverAuth.

AIUI, most intermediate certificates don't have an EKU extension at the
moment. So this would be most intermediates, right?

> It is already clear: If the CA certificate can issue certificates that
> web browsers will trust for web usage, then that CA is required to
> conform to the BRs. 

The trouble with this, I seem to remember from previous discussions, is
that it's at odds with reality. I think it's less so than it used to be
(when we accepted EE certs with no EKU, which we no longer do), but it
still is. For example, the intermediates which issue millions of
qualified certs to EU citizens are capable of issuing for SSL, but they
aren't subject to the BRs in practice.

This is the problem I'm trying to solve. It's not currently possible, as
I see it, to sanely define the scope of the BRs, and the scope of what
browsers can accept with a programmatic check, and make them match with
no loopholes.


More information about the Public mailing list