[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?

Gervase Markham gerv at mozilla.org
Fri Nov 21 11:43:21 UTC 2014

On 21/11/14 03:20, Ryan Sleevi wrote:
> While I wish it was true that Section 17 covered it, the loophole is in
> Section 1 - "This version of the Requirements only addresses
> Certificates intended to be used for authenticating servers accessible
> through the Internet"
> That is, if you don't meet Section 1's Scope, surely Section 17's audit
> requirements don't apply - or so the argument goes. Aligning Section 17
> with Section 1 is needed, but as multiple CAs have raised during the
> past meetings, that means that all of their (code signing, e-mail, etc)
> certs would fall under the criteria of Section 17. So we need a way to
> make Scope 1 inclusive (measured by capability, not intent, like Section
> 17), but also sufficiently exclusive (such as using id-kp-serverAuth)
> that the existing (code signing, email, etc) intermediates don't run
> afoul OR are entirely covered by the audits.

The BRs are only relevant because root programs enforce them. And root
programs can decide on the scope over which they decide to enforce their
application. So are you saying that the BRs should propose a concrete
scope based on the principles you've outlined, and the root programs
would then say "our scope for BR audits is the scope defined in the BRs"
(or something else, if they wanted something else)?


More information about the Public mailing list