[cabfpub] Mozilla SHA-1 further restrictions
gerv at mozilla.org
Thu Nov 17 14:01:41 UTC 2016
On 17/11/16 13:58, Rob Stradling wrote:
> I was mostly just wearing my "please don't create unnecessary extra work
> for CAs" hat.
> However, let's not forget that it's arguably a violation of RFC5280 to
> (ab)use the EKU extension in intermediate certs as a constraint
> mechanism. It's definitely conceivable that there are some modern
> applications that don't process the EKU extension in intermediate certs,
> but which do blow up when they encounter a critical extension that they
> don't process.
Yeah, OK. Fair enough.
More information about the Public