[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Fri Nov 18 14:35:45 UTC 2016

On 18/11/16 14:16, Doug Beattie wrote:
> Gerv,
> Are you specifically concerned about the id-kp-emailProtection and
> what needs to be combined with that, or is the issue what's the total
> set of EKUs that might be needed?  In other words, do you care less
> if a CA has all of the below except id-kp-emailProtection?

Well, it doesn't sound very sensible to me, but I'm not sure why
Mozilla's policy would care :-)

> By the way, we have the same challenge with our SSL CAs - there's a
> set of EKUs we'd like to include in SSL certs to support Domain
> Controllers and VPN servers.

Are we still talking about SHA-1 issuance here? I don't think Mozilla
has EKU restrictions for non-SHA-1 issuance...


More information about the Public mailing list