info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.5 Proposal: Add anyEKU to scope
80 views
Skip to first unread message
Gervase Markham
May 12, 2017, 9:00:21 AM5/12/17
to mozilla-dev-s...@lists.mozilla.org
Because the Mozilla root store is used by more people than Mozilla,
Kathleen would like to put anyEKU in scope even though Firefox ignores it.
That would involve updating Section 1.1, as follows.
Change item 2 to read:
“2. Intermediate certificates which have at least one valid, unrevoked
chain up to such a CA certificate and which are not technically
constrained to prevent issuance of working server or email certificates.
Such technical constraints could consist of either:
an Extended Key Usage (EKU) extension which does not contain any of
these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth,
id-kp-emailProtection; or:
name constraints which do not allow Subject Alternative Names (SANs) of
any of the following types: dNSName, iPAddress, SRVName, rfc822Name
Change the first bullet point in item 3 to:
“an Extended Key Usage (EKU) extension which contains one or more of
these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth,
id-kp-emailProtection; or:”
This is: https://github.com/mozilla/pkipolicy/issues/79
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Kathleen would like to put anyEKU in scope even though Firefox ignores it.
That would involve updating Section 1.1, as follows.
Change item 2 to read:
“2. Intermediate certificates which have at least one valid, unrevoked
chain up to such a CA certificate and which are not technically
constrained to prevent issuance of working server or email certificates.
Such technical constraints could consist of either:
an Extended Key Usage (EKU) extension which does not contain any of
these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth,
id-kp-emailProtection; or:
name constraints which do not allow Subject Alternative Names (SANs) of
any of the following types: dNSName, iPAddress, SRVName, rfc822Name
Change the first bullet point in item 3 to:
“an Extended Key Usage (EKU) extension which contains one or more of
these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth,
id-kp-emailProtection; or:”
This is: https://github.com/mozilla/pkipolicy/issues/79
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Kurt Roeckx
May 12, 2017, 11:31:51 AM5/12/17
to mozilla-dev-s...@lists.mozilla.org
On 2017-05-12 15:00, Gervase Markham wrote:
> Because the Mozilla root store is used by more people than Mozilla,
> Kathleen would like to put anyEKU in scope even though Firefox ignores it.
I think the CCADB document needs to be updated too.
> Because the Mozilla root store is used by more people than Mozilla,
> Kathleen would like to put anyEKU in scope even though Firefox ignores it.
Kurt
Kurt Roeckx
May 12, 2017, 11:35:55 AM5/12/17
to mozilla-dev-s...@lists.mozilla.org
Kurt
Gervase Markham
May 19, 2017, 8:13:27 AM5/19/17
to mozilla-dev-s...@lists.mozilla.org
On 12/05/17 14:00, Gervase Markham wrote:
> Because the Mozilla root store is used by more people than Mozilla,
> Kathleen would like to put anyEKU in scope even though Firefox ignores it.
Implemented as specced.
> Because the Mozilla root store is used by more people than Mozilla,
> Kathleen would like to put anyEKU in scope even though Firefox ignores it.
Gerv
0 new messages