[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Brian Smith brian at briansmith.org
Wed Nov 12 07:23:49 UTC 2014

On Thu, Nov 6, 2014 at 1:17 PM, Rick Andrews <Rick_Andrews at symantec.com> wrote:
> Gerv, off-hand I'd say about half of the non-technically-constrained intermediates we've issued from our publicly trusted roots are not BR-covered. They sign code signing, timestamping, and client auth certs. But none of them (and none of our SSL intermediates) contain an EKU. If we'd have to re-issue SSL intermediates to add serverAuth EKU and non-SSL intermediates to add EKU with some other value, then we'd have to reissue all our intermediates. And we wouldn't be very excited about that.

Rick, you only have to re-issue (and revoke the old version of)
non-SSL intermediates, not SSL intermediates, because the lack of an
EKU implies anyExtendedKeyUsage which implies id-kp-serverAuth.


More information about the Public mailing list