[cabfpub] Misissuance of certificates

Geoff Keating geoffk at apple.com
Mon Jan 18 21:27:49 UTC 2016

For me, one outcome of the previous discussion was that it’d be a lot easier if browsers could require serverAuth in EKU.  The number of remaining unexpired certificates without serverAuth is now very small; the only thing preventing me from saying we should all switch to it ASAP is that the SHA-1 and RC4 deprecations are in the pipeline, are more important, and there are limited resources.

Once that’s done, I think there’s a strong case for saying that anyone who wants an certificate with anyEKU must comply with all the requirements for each kind of certificate; if there are contradictions then those need to be worked out.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160118/d25fc99b/attachment-0001.p7s>

More information about the Public mailing list