For what it is worth I agree with Brian. I would go a bit further and say certificates need to be issued for explicit usages anything else produces potentially unknown behaviors.
What's most important though is that any certificate that is trusted as a result of membership in the Mozilla root program that can technically be used for SSL on the public web is subject to the program requirements intent or not. It seems since MSFT already requires leaves to have an EKU it wouldn't be breaking to apply the same rule in Mozilla's program. Ryan On Wednesday, April 17, 2019 at 12:27:49 PM UTC-7, Brian Smith wrote: > Wayne Thayer via dev-security-policy <[email protected]> > wrote: > > > My conclusion from this discussion is that we should not add an explicit > > requirement for EKUs in end-entity certificates. I've closed the issue. > > > > What will happen to all the certificates without an EKU that currently > exist, which don't conform to the program requirements? > > For what it's worth, I don't object to a requirement for having an explicit > EKU in certificates covered by the program. Like I said, I think every > certificate that is issued should be issued with a clear understanding of > what applications it will be used for, and having an EKU extension does > achieve that. > > The thing I am attempting to avoid is the implication that a missing EKU > implies a certificate is not subject to the program's requirements. > > Cheers, > Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
