[cabfpub] Misissuance of certificates
Geoff Keating
geoffk at apple.com
Mon Jan 18 14:27:49 MST 2016
For me, one outcome of the previous discussion was that it’d be a lot easier if browsers could require serverAuth in EKU. The number of remaining unexpired certificates without serverAuth is now very small; the only thing preventing me from saying we should all switch to it ASAP is that the SHA-1 and RC4 deprecations are in the pipeline, are more important, and there are limited resources.
Once that’s done, I think there’s a strong case for saying that anyone who wants an certificate with anyEKU must comply with all the requirements for each kind of certificate; if there are contradictions then those need to be worked out.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160118/d25fc99b/attachment-0001.bin
More information about the Public
mailing list