Nelson Bolyard a écrit : > Every root CA has EKU info associated with it, limiting the applications > for that CA.
From their document : "We will attach EKU metadata to the certificate as metadata in the Windows certificate store so you do not need to regenerate your root certificate with the EKU extension." This is a good thing they also do it that way, because the mechanism of setting some EKU values on a CA certificate that are intended to serve as a constraint limiting the allowed EKU on the End Entity certificates under it is *not* PKIX/X.509 compliant. An EKU applies to *the* cert that contains it, and the meaning of setting a SSL client/SSL server EKU to a CA cert is unclear, at best (under a strict, to the letter reading, it should make that cert unusable). Whereas RFC3280 also says that it's OK when needed to use application specific data to further constrain path validation. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
