[cabfpub] Additional OIDs in end-entity certificates

Geoff Keating geoffk at apple.com
Mon Aug 22 17:20:29 UTC 2016


> On 21 Aug 2016, at 3:07 PM, Kirk Hall <Kirk.Hall at entrust.com> wrote:
> 
> That’s good news, Ryan – some have said that no OIDs are permitted in certificates except for those specified in the BRs and/or RFC 5280, etc.  I couldn’t see where that was specified so I thought I’d check with the browsers.  Sounds like Google has no objections to additional OIDs.
>  
> Assuming the other browsers take the same position, then in the future when a CA or a political jurisdiction wants extra markers in certificates for their own purposes, the Forum and the browsers won’t have to get involved. 
>  
> Do Microsoft, Apple, and Mozilla agree?

Apple routinely adds extra OIDs to certificates we issue, in various places, and we think that doesn’t make them BR-noncompliant.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160822/f2edf817/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160822/f2edf817/attachment-0001.p7s>


More information about the Public mailing list