[cabfpub] Defining BR scope
sleevi at google.com
Mon Jan 25 21:39:47 UTC 2016
On Fri, Jan 22, 2016 at 8:07 AM, Peter Bowen <pzb at amzn.com> wrote:
> I don’t disagree with this assessment, but the current state of affairs,
> as I understand it, is that any end-entity certificate that is clearly not
> for server authentication is already excluded. Many browsers (or should I
> say ASSes to be BR compliant?) already operate trust stores that recognize
> a single root to be trusted to issue various kinds of certificates.
> Mozilla recognizes kp-emailProtection in addition to kp-serverAuth (and
> still includes kp-codeSigning for many roots), Microsoft recognizes six key
> purposes other than kp-serverAuth (and includes another four for many
> roots), and Apple seems to have many recognized key purposes.
I'm not sure I understand your remark that "any end-entity certificate that
is clearly not for server authentication is already excluded.", and was
hoping you could explain you see how that flows. I can speculate the
reasoning, but would probably explain it poorly, so I was hoping you could
expand on where you see the non-BR compliance carveouts being.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public