[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
brian at briansmith.org
Mon Nov 3 14:36:43 MST 2014
On Mon, Nov 3, 2014 at 1:32 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:
> On 11/03/2014 11:20 PM, Brian Smith wrote:
> 2. Require the revocation of any intermediate certificates that do not
> have an EKU extension or have an EKU extension with anyExtendedKeyUsage
> and/or have an EKU extension with id-kp-serverAuth.
> You must be joking, aren't you? :-)
Sorry, I omitted a qualifier: "...that do not conform to the BRs (e.g. are
not technically constrained or publicly audited)."
In other words, require the revocation of CA certificates that do not
comply with the BRs, if issued by a CA for which the BRs apply. Again, this
should already be the case.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public