[cabfpub] Defining BR scope

Ryan Sleevi sleevi at google.com
Mon Jan 25 21:39:47 UTC 2016


On Fri, Jan 22, 2016 at 8:07 AM, Peter Bowen <pzb at amzn.com> wrote:

> I don’t disagree with this assessment, but the current state of affairs,
> as I understand it, is that any end-entity certificate that is clearly not
> for server authentication is already excluded.  Many browsers (or should I
> say ASSes to be BR compliant?) already operate trust stores that recognize
> a single root to be trusted to issue various kinds of certificates.
> Mozilla recognizes kp-emailProtection in addition to kp-serverAuth (and
> still includes kp-codeSigning for many roots), Microsoft recognizes six key
> purposes other than kp-serverAuth (and includes another four for many
> roots), and Apple seems to have many recognized key purposes.
>

I'm not sure I understand your remark that "any end-entity certificate that
is clearly not for server authentication is already excluded.", and was
hoping you could explain you see how that flows. I can speculate the
reasoning, but would probably explain it poorly, so I was hoping you could
expand on where you see the non-BR compliance carveouts being.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160125/bbe1cef3/attachment-0003.html>


More information about the Public mailing list