[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Thu Nov 17 14:01:41 UTC 2016


On 17/11/16 13:58, Rob Stradling wrote:
> I was mostly just wearing my "please don't create unnecessary extra work
> for CAs" hat.
> 
> However, let's not forget that it's arguably a violation of RFC5280 to
> (ab)use the EKU extension in intermediate certs as a constraint
> mechanism.  It's definitely conceivable that there are some modern
> applications that don't process the EKU extension in intermediate certs,
> but which do blow up when they encounter a critical extension that they
> don't process.

Yeah, OK. Fair enough.

Gerv




More information about the Public mailing list