[Servercert-wg] Aligning the BRs with existing Browser Requirements

Ryan Sleevi sleevi at google.com
Tue Oct 15 10:09:41 MST 2019


Another example was highlighted with respect to authority key identifier
extensions

The requirements on authorityKeyIdentifiers are updated to align with
Mozilla

   - RFC 5280 requires that the authorityKeyIdentifier MUST be present in
   all certificates, except for self-signed certificates used as trust
   anchors, and MUST contain a keyIdentifier field.
   - Mozilla Policy prohibits certificates from simultaneously having a
   keyIdentifier and authorityCertIssuer+authorityCertSerialNumber fields (
   https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices
    )

You can see this change in isolation at
https://github.com/sleevi/cabforum-docs/commit/0bc0eab88ea456d2582a915cf77a09aa5d645a89
,
or the overall set of changes continue to be available at
https://github.com/cabforum/documents/compare/master...sleevi:2019-10-Browser_Alignment

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191015/e99cb1c0/attachment.html>


More information about the Servercert-wg mailing list