[cabfpub] Mozilla SHA-1 further restrictions

Geoff Keating geoffk at apple.com
Fri Nov 18 13:46:26 MST 2016


> On 18 Nov 2016, at 7:26 am, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> On 18/11/16 15:04, Rob Stradling wrote:
>> crt.sh currently has 302 CA certificates that contain the
>> id-kp-clientAuth EKU OID 
> 
> I think you mean id-kp-emailProtection here, from your figures...
> 
>> and that are trusted by Microsoft and/or
>> Mozilla and/or Apple.
>> 
>> Here's a summary of the EKU OIDs contained in those 302 intermediate certs:
>> 
>> count |    x509_extkeyusages     |            purpose
>> -------+--------------------------+--------------------------------
>>   302 | 1.3.6.1.5.5.7.3.4        | id-kp-emailProtection
>>   284 | 1.3.6.1.5.5.7.3.2        | id-kp-clientAuth
>>   104 | 1.3.6.1.5.5.7.3.1        | id-kp-serverAuth
> 
> People make certs usable for both serverAuth and email/clientAuth? :-|

Yes, it’s quite common to have both serverAuth and clientAuth on the same certificate, for use in machine-to-machine communication where all connections are authenticated in both directions.  I’m not sure about both serverAuth and email…
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20161118/7a95c3aa/attachment.bin>


More information about the Public mailing list