[cabfpub] Issuers in BR/EV/EVCS Guideline Scope

Peter Bowen pzb at amzn.com
Fri Apr 15 15:54:45 UTC 2016

> On Apr 15, 2016, at 6:27 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 14/04/16 15:35, Peter Bowen wrote:
>> I think the following two things are clearly cases when scope does
>> not confer: - Scope is not conferred after the notAfter date in the
>> CA certificate (scope expires)
> This would prevent the CAB Forum making a rule like "revocation
> information for revoked certificates must remain available for at least
> one month after the notAfter date in the cert”.

Yes, this is a good point, especially for durable signatures.

>> - Scope is not conferred if the CA certificate includes a properly
>> formed Extended Key Usage extension and the listed key purposes do
>> not include any of {anyExtendedKeyUsage, id-kp-serverAuth,
>> id-kp-codeSigning}
> Agreed. (Which is not to say all certificates which don't meet that
> criterion _are_ in scope.)


More information about the Public mailing list