[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Brian Smith brian at briansmith.org
Wed Nov 12 07:22:17 UTC 2014


On Thu, Nov 6, 2014 at 2:41 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 05/11/14 21:31, Brian Smith wrote:
> So basically I'm proposing an opt-in, phased in over a fairly long time,
> so that eventually we can programmatically determine whether a cert is
> covered, and you are proposing opt-out, phased in over a shorter time?

Again, I'm mostly describing how things *already are*, and how things
*have been* forever.

> A) How many non-BR-covered non-technically-constrained intermediates
> have you issued from your publicly trusted roots?

AFAICT, the answer to this is zero, because the BRs apply to all
non-technically-constrained intermediates of any root that is trusted
for SSL.

> B) How many of those would need to be reissued if there were a
> requirement that they contain an EKU that does not have id-kp-ServerAuth?

I.e. "How many intermediates are non-complaint with the BRs today?"

> I suspect the answer to B) in almost all cases will be exactly the same
> number as the answer to A).

Yes.

Cheers,
Brian



More information about the Public mailing list