[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Wayne Thayer wthayer at godaddy.com
Thu Nov 6 17:57:51 UTC 2014

> Your proposal has the same issue. In both proposals, just by looking at
> the certificate chain, you can tell whether the intermediate is required
> to conform to the BRs or not. The only difference is that the way Ryan
> and I are suggesting already matches what Chrome (on Windows, at lesat),
> IE, and Firefox are already doing, whereas you are proposing that all
> browsers eventually (5-10 years from now?) be changed to do something
> new, without any protection for users until then.

I’d like to point out that Microsoft’s current Root Program has a requirement that’s very similar to Gerv’s proposal:

Rollover root certificates will not be accepted that combine server authentication with code signing uses unless the uses are separated by application of EKUs at the intermediate CA certificate level that are reflected in the whole certificate chain.

Representing a CA issuing primarily SSL and code signing certs from the same roots, Gerv’s proposal seems redundant given what Microsoft already requires, but I’m sure there are other scenarios to consider. It’d be great to get Microsoft’s input on this so that whatever we come up with is consistent with their policy.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141106/f6baebe2/attachment-0003.html>

More information about the Public mailing list