[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
Brian Smith
brian at briansmith.org
Wed Nov 12 07:22:17 UTC 2014
On Thu, Nov 6, 2014 at 2:41 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 05/11/14 21:31, Brian Smith wrote:
> So basically I'm proposing an opt-in, phased in over a fairly long time,
> so that eventually we can programmatically determine whether a cert is
> covered, and you are proposing opt-out, phased in over a shorter time?
Again, I'm mostly describing how things *already are*, and how things
*have been* forever.
> A) How many non-BR-covered non-technically-constrained intermediates
> have you issued from your publicly trusted roots?
AFAICT, the answer to this is zero, because the BRs apply to all
non-technically-constrained intermediates of any root that is trusted
for SSL.
> B) How many of those would need to be reissued if there were a
> requirement that they contain an EKU that does not have id-kp-ServerAuth?
I.e. "How many intermediates are non-complaint with the BRs today?"
> I suspect the answer to B) in almost all cases will be exactly the same
> number as the answer to A).
Yes.
Cheers,
Brian
More information about the Public
mailing list