[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Thu Nov 17 13:45:04 UTC 2016

On 17/11/16 12:42, Rob Stradling wrote:
> Gerv, why must the EKU extension be critical?

Are you saying that making it critical causes problems?

> I don't remember ever seeing an intermediate cert with a critical EKU
> extension.  It would be unfortunate if your "further restrictions" lead
> to CAs reissuing their SHA-1 intermediates!

I don't see much risk in a CA reissuing a SHA-1 intermediate /per se/,
because I am assuming that CAs are not trying to engineer collisions.


More information about the Public mailing list