[cabfpub] Mozilla SHA-1 further restrictions

Gervase Markham gerv at mozilla.org
Fri Nov 18 15:26:44 UTC 2016


On 18/11/16 15:04, Rob Stradling wrote:
> crt.sh currently has 302 CA certificates that contain the
> id-kp-clientAuth EKU OID 

I think you mean id-kp-emailProtection here, from your figures...

> and that are trusted by Microsoft and/or
> Mozilla and/or Apple.
> 
> Here's a summary of the EKU OIDs contained in those 302 intermediate certs:
> 
>  count |    x509_extkeyusages     |            purpose
> -------+--------------------------+--------------------------------
>    302 | 1.3.6.1.5.5.7.3.4        | id-kp-emailProtection
>    284 | 1.3.6.1.5.5.7.3.2        | id-kp-clientAuth
>    104 | 1.3.6.1.5.5.7.3.1        | id-kp-serverAuth

People make certs usable for both serverAuth and email/clientAuth? :-|

>     60 | 1.3.6.1.5.5.7.3.9        | id-kp-OCSPSigning

Wait, what?

Gerv



More information about the Public mailing list