[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Gervase Markham gerv at mozilla.org
Thu Nov 20 14:02:58 UTC 2014


On 19/11/14 23:21, Jeremy Rowley wrote:
> I think Ryan’s suggestion is best.  If all intermediates capable of SSL
> issuance are BR audited, then there isn’t an issue.  You still need to
> disclose their existence in accordance with the Mozilla policy, but
> there won’t be a need to reissue the certs.
> 
> Plus, all the groups I contacted responded that their intermediates are
> already compliant and wouldn’t have issues with a BR audit.  I’d support
> moving forward with Ryan’s proposal.

How does Ryan's proposal differ from Brian's?

Brian's proposal, as I now understand it, is basically that we make what
Mozilla requires (in terms of constrain or disclose-and-audit) part of
the BRs rather than just Mozilla policy. And we define that the BRs
cover all publicly-trusted roots, all disclosed-and-audited
intermediates, and certificates issued from them.

Gerv



More information about the Public mailing list