[Smcwg-public] Scope of S/MIME BRs and No EKU in an S/MIME Certificate

Tim Hollebeek tim.hollebeek at digicert.com
Fri Jul 28 19:36:53 UTC 2023

No EKU is the same as AnyEKU, and should be treated accordingly.

Otherwise you’re diverging from RFC 5280 and there’s no reason to even contemplate that for this.


From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Ben Wilson via Smcwg-public
Sent: Friday, July 28, 2023 9:45 AM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Scope of S/MIME BRs and No EKU in an S/MIME Certificate

For TLS Certificates, I think it was discovered that they would still work if there was no EKU in them (or maybe that was just the chaining down from Intermediate CA certificates).  Anyway, I have commented in a discussion on the Mozilla Dev-Security-Policy list<https://url.avanan.click/v2/___https:/groups.google.com/a/mozilla.org/g/dev-security-policy/c/wJ318VEXdTo/m/zM66bPpEAgAJ___.YXAzOmRpZ2ljZXJ0OmE6bzpjMjk5MWFjN2UxMTc0NWZkZWRjYjk1YzgyYzc5N2I3Mzo2OmY5ZTk6NmY0MjFlNjJmNDYwYzdjOTZlMTNjZTZhNGRhYjQ5MTU3YzE2YjIwODUzMzBmZDJjNzIyYWY1ZWQzYjUxOTBjMjpoOkY> about the scope of the Mozilla Root Store Policy as it applies to SMIME certificates. Presence of the anyEKU EKU should bring them in scope of Mozilla policy, but what about end entity certificates that have no EKU?  Does anyone want to comment on that thread in MDSP?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230728/e5c0c0b5/attachment-0001.html>

More information about the Smcwg-public mailing list