[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Brian Smith brian at briansmith.org
Wed Nov 5 01:41:48 UTC 2014

On Tue, Nov 4, 2014 at 2:03 AM, Gervase Markham <gerv at mozilla.org> wrote:

> One of the (unstated, I guess) assumptions in my proposal is that
> telling all the CAs to go out and reissue all or most of their
> intermediates won't fly. Do you agree with that?

I agree with that. That's why your proposal would not have any positive
effect for a long time, because browsers would have to trust CA
certificates without id-kp-serverAuth for a very long time.

However, I'm assuming that for the CAs for which the BRs apply, it is
already the case that all or most of their intermediates conform to the
BRs. My proposal would result in no action for them. With my proposal, the
only CAs that would need to do anything would be ones that currently have
intermediates that are trusted for SSL issuance, but which are
non-conformant with the BRs. Again, my proposal is to just codify the
assumption that web browsers are already making; it is actually nothing
new. (Please see my clarification of my suggestion in my response to Eddy,
because it makes a big difference.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141104/80038675/attachment-0003.html>

More information about the Public mailing list