[cabfpub] Misissuance of certificates

Jeremy Rowley jeremy.rowley at digicert.com
Mon Jan 18 19:53:56 UTC 2016

I don’t recall that as being the case.  I think the discussion stalled because certain national programs used the anyEKU and their national policies conflicted with the BRs.  I know we all agreed serverAuth ought to be included.  The question was on no EKU and anyEKU as they are both technically server certs.  


From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Monday, January 18, 2016 11:53 AM
To: Rick Andrews
Cc: Jeremy Rowley; Peter Bowen; Doug Beattie; public at cabforum.org
Subject: Re: [cabfpub] Misissuance of certificates




On Mon, Jan 18, 2016 at 10:45 AM, Rick Andrews <Rick_Andrews at symantec.com <mailto:Rick_Andrews at symantec.com> > wrote:

That discussion was challenging because each browser had different behavior regarding what it accepted as an SSL cert. I had captured some of the differences here: https://cabforum.org/wiki/Browser%20Behavior, and that's likely out of date.



I don't see any reason for there to be challenge based on that. It's a question of what the accepted definition of "in scope" is. Presumably, browsers will want what they accept as "in scope", but that wasn't what stalled the conversation at all - it was CAs wanting stuff that browsers ALL accepted as "out of scope". 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160118/b981ff0d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160118/b981ff0d/attachment-0001.p7s>

More information about the Public mailing list