[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
Gervase Markham
gerv at mozilla.org
Wed Nov 5 10:27:31 UTC 2014
On 05/11/14 01:41, Brian Smith wrote:
> I agree with that. That's why your proposal would not have any positive
> effect for a long time, because browsers would have to trust CA
> certificates without id-kp-serverAuth for a very long time.
Yes, indeed.
> However, I'm assuming that for the CAs for which the BRs apply, it is
> already the case that all or most of their intermediates conform to the
> BRs.
I would hope so. But is it programmatically detectable that they do? If
so, how? "Publicly audited" is not a determinable characteristic of an
intermediate.
Also, your proposal 1) requires a re-issue of intermediates for all
private PKIs, right? Because they all need to have EKUs in them?
Gerv
More information about the Public
mailing list