[cabfpub] Issuers in BR/EV/EVCS Guideline Scope

Gervase Markham gerv at mozilla.org
Fri Apr 15 13:27:34 UTC 2016

On 14/04/16 15:35, Peter Bowen wrote:
> I think the following two things are clearly cases when scope does
> not confer: - Scope is not conferred after the notAfter date in the
> CA certificate (scope expires)

This would prevent the CAB Forum making a rule like "revocation
information for revoked certificates must remain available for at least
one month after the notAfter date in the cert".

> - Scope is not conferred if the CA certificate includes a properly
> formed Extended Key Usage extension and the listed key purposes do
> not include any of {anyExtendedKeyUsage, id-kp-serverAuth,
> id-kp-codeSigning}

Agreed. (Which is not to say all certificates which don't meet that
criterion _are_ in scope.)


More information about the Public mailing list