[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Eddy Nigg eddy_nigg at startcom.org
Thu Nov 13 22:07:53 UTC 2014

On 11/13/2014 10:53 PM, Ryan Sleevi wrote:
> Because it's widely implemented in a variety of libraries and provides 
> immediate security benefits for clients, and immediate clarifications 
> for CAs about in scope vs out of scope, and doesn't conflict with any 
> of the language in RFC 5280 - which, while was accurate at the time it 
> was written ("In general, this doesn't appear in CA certs"), is NOT a 
> prohibition against it, just an observation.

Yes, but....there is a big BUT that the true meaning of an EKU in a CA 
certificate (for that matter in any certificate) will define how such a 
certificate can be used. The meaning of id-kpServerAuth is clearly 
defined and it's not for the suggested use in CA certificates as 
currently proposed.

Just want to set the record strait as how I read it.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141114/53bd4f3f/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141114/53bd4f3f/attachment-0001.p7s>

More information about the Public mailing list