[cabfpub] Misissuance of certificates
geoffk at apple.com
Mon Jan 18 21:27:49 UTC 2016
For me, one outcome of the previous discussion was that it’d be a lot easier if browsers could require serverAuth in EKU. The number of remaining unexpired certificates without serverAuth is now very small; the only thing preventing me from saying we should all switch to it ASAP is that the SHA-1 and RC4 deprecations are in the pipeline, are more important, and there are limited resources.
Once that’s done, I think there’s a strong case for saying that anyone who wants an certificate with anyEKU must comply with all the requirements for each kind of certificate; if there are contradictions then those need to be worked out.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3321 bytes
Desc: not available
More information about the Public