[cabfpub] (Eventually) requiring id-kpServerAuth for all certs in the chain?
gerv at mozilla.org
Thu Nov 20 07:02:58 MST 2014
On 19/11/14 23:21, Jeremy Rowley wrote:
> I think Ryan’s suggestion is best. If all intermediates capable of SSL
> issuance are BR audited, then there isn’t an issue. You still need to
> disclose their existence in accordance with the Mozilla policy, but
> there won’t be a need to reissue the certs.
> Plus, all the groups I contacted responded that their intermediates are
> already compliant and wouldn’t have issues with a BR audit. I’d support
> moving forward with Ryan’s proposal.
How does Ryan's proposal differ from Brian's?
Brian's proposal, as I now understand it, is basically that we make what
Mozilla requires (in terms of constrain or disclose-and-audit) part of
the BRs rather than just Mozilla policy. And we define that the BRs
cover all publicly-trusted roots, all disclosed-and-audited
intermediates, and certificates issued from them.
More information about the Public