[Servercert-wg] Aligning the BRs with existing Browser Requirements

Ryan Sleevi sleevi at google.com
Tue Oct 15 10:09:41 MST 2019

Another example was highlighted with respect to authority key identifier

The requirements on authorityKeyIdentifiers are updated to align with

   - RFC 5280 requires that the authorityKeyIdentifier MUST be present in
   all certificates, except for self-signed certificates used as trust
   anchors, and MUST contain a keyIdentifier field.
   - Mozilla Policy prohibits certificates from simultaneously having a
   keyIdentifier and authorityCertIssuer+authorityCertSerialNumber fields (

You can see this change in isolation at
or the overall set of changes continue to be available at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191015/e99cb1c0/attachment.html>

More information about the Servercert-wg mailing list