[cabfpub] A conflict about EKU with PKIX

Adam Langley agl at google.com
Mon Mar 20 02:13:54 MST 2017


On Sun, Mar 19, 2017 at 3:26 PM, Peter Bowen <pzb at amzn.com> wrote:

> That being said, I am well aware there are large PKI deployments that
> depend on the alternative meaning.  This keeps being the sticking point
> when trying to propose updating the standards.
>

How do they depend on it? If an implementation assumes that EKUs only apply
to a specific certificate then they would only be added to leaf
certificates, no? Adding them to an intermediate wouldn't make sense since
the "usage" of an intermediate is only to issue other certificates. Thus
the "specific certificate" behaviour would appear to be a compatible subset
of the path-based one.


Cheers

AGL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170320/a1674bef/attachment.html>


More information about the Public mailing list