[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Gervase Markham gerv at mozilla.org
Wed Nov 5 10:27:31 UTC 2014

On 05/11/14 01:41, Brian Smith wrote:
> I agree with that. That's why your proposal would not have any positive
> effect for a long time, because browsers would have to trust CA
> certificates without id-kp-serverAuth for a very long time.

Yes, indeed.

> However, I'm assuming that for the CAs for which the BRs apply, it is
> already the case that all or most of their intermediates conform to the
> BRs. 

I would hope so. But is it programmatically detectable that they do? If
so, how? "Publicly audited" is not a determinable characteristic of an

Also, your proposal 1) requires a re-issue of intermediates for all
private PKIs, right? Because they all need to have EKUs in them?


More information about the Public mailing list