At 6:21 PM +0100 3/5/08, Jean-Marc Desperrier wrote:
>Paul Hoffman wrote:
>> [...]
>> For this to work, Microsoft path validation also checks that the end
>> certificate is consistent with the EKU property of the root. This part
>> adds to X.509 and rfc 3280bis.
>
>:s/adds to/conflicts with/
Actually, I disagree. 3280bis says of EKUs:
In general, this
extension will appear only in end entity certificates.
That is soft and mushy enough for Microsoft to use them in root
certs, in my opinion. It's not even a "SHOULD NOT".
>It would be good if the page
>http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true
>was written in a way that makes that *clearly* the preferred method.
I am hoping that my questions to the folks at Microsoft will cause
that to happen.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
