Because the Mozilla root store is used by more people than Mozilla,
Kathleen would like to put anyEKU in scope even though Firefox ignores it.
That would involve updating Section 1.1, as follows.
Change item 2 to read:
“2. Intermediate certificates which have at least one valid, unrevoked
chain up to such a CA certificate and which are not technically
constrained to prevent issuance of working server or email certificates.
Such technical constraints could consist of either:
an Extended Key Usage (EKU) extension which does not contain any of
these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth,
id-kp-emailProtection; or:
name constraints which do not allow Subject Alternative Names (SANs) of
any of the following types: dNSName, iPAddress, SRVName, rfc822Name
Change the first bullet point in item 3 to:
“an Extended Key Usage (EKU) extension which contains one or more of
these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth,
id-kp-emailProtection; or:”
This is:
https://github.com/mozilla/pkipolicy/issues/79
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates