[cabfpub] Mozilla SHA-1 further restrictions

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Nov 18 09:19:50 MST 2016



On 18/11/2016 5:34 μμ, Rob Stradling via Public wrote:
> On 18/11/16 15:26, Gervase Markham wrote:
>> On 18/11/16 15:04, Rob Stradling wrote:
>>> crt.sh currently has 302 CA certificates that contain the
>>> id-kp-clientAuth EKU OID
>>
>> I think you mean id-kp-emailProtection here, from your figures...
>
> Yeah, I did.  Sorry about that.
>
>>> and that are trusted by Microsoft and/or> Mozilla and/or Apple.
>>>
>>> Here's a summary of the EKU OIDs contained in those 302 intermediate 
>>> certs:
>>>
>>>  count |    x509_extkeyusages     |            purpose
>>> -------+--------------------------+--------------------------------
>>>    302 | 1.3.6.1.5.5.7.3.4        | id-kp-emailProtection
>>>    284 | 1.3.6.1.5.5.7.3.2        | id-kp-clientAuth
>>>    104 | 1.3.6.1.5.5.7.3.1        | id-kp-serverAuth
>>
>> People make certs usable for both serverAuth and email/clientAuth? :-|
>
> Sadly.  Do you want any more details?
>
>>>     60 | 1.3.6.1.5.5.7.3.9        | id-kp-OCSPSigning
>>
>> Wait, what?
>
> Depressing, isn't it.
>

Others have already replied so I will not state what's already been 
said. It may be strange to see an end-entity certificate with both these 
EKUs (serverAuth and emailProtection). However, the BRs allow it 
(Section 7.1.2.3 "Either the value id‐kp‐serverAuth [RFC5280] or 
id‐kp‐clientAuth [RFC5280] or both values MUST be present.
id‐kp‐emailProtection [RFC5280] MAY be present.  Other values SHOULD NOT 
be present. ").


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161118/0414a59c/attachment-0001.html>


More information about the Public mailing list