[cabfpub] Mozilla SHA-1 further restrictions
Rob Stradling
rob.stradling at comodo.com
Fri Nov 18 15:34:10 UTC 2016
On 18/11/16 15:26, Gervase Markham wrote:
> On 18/11/16 15:04, Rob Stradling wrote:
>> crt.sh currently has 302 CA certificates that contain the
>> id-kp-clientAuth EKU OID
>
> I think you mean id-kp-emailProtection here, from your figures...
Yeah, I did. Sorry about that.
>> and that are trusted by Microsoft and/or> Mozilla and/or Apple.
>>
>> Here's a summary of the EKU OIDs contained in those 302 intermediate certs:
>>
>> count | x509_extkeyusages | purpose
>> -------+--------------------------+--------------------------------
>> 302 | 1.3.6.1.5.5.7.3.4 | id-kp-emailProtection
>> 284 | 1.3.6.1.5.5.7.3.2 | id-kp-clientAuth
>> 104 | 1.3.6.1.5.5.7.3.1 | id-kp-serverAuth
>
> People make certs usable for both serverAuth and email/clientAuth? :-|
Sadly. Do you want any more details?
>> 60 | 1.3.6.1.5.5.7.3.9 | id-kp-OCSPSigning
>
> Wait, what?
Depressing, isn't it.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list